How to ensure Mint is secure from Spectre & Meltdown?

[jameskga]

From my reading I understand Spectre & Meltdown require at least a two-fold response: Hardware (firmware update) and software (OS)

While I wait for my motherboard manufacturer to release their update (skeleton.jpg), I know Windows automagically applied their mystical patches behind my back, and I understand the linux kernel addresses the issue in its own regard, where I could at least see the item being downloaded and installed as I gave permission.

But someone on the EVE Online forums told me Intel maintains the microcode for Linux as though they're some kind of benevolent force of open source altruism. Maybe they are. They were referring, of course, to what we see in the Driver Manager window on Mint. They said Intel maintains that like champions.



So I searched, and this is what I found:

According to the following site, intel-microcode (open-source) was updated to Version 3.20180108.0-ubuntu16.04.2 to address Spectre.
https://usn.ubuntu.com/usn/usn-3531-1/

Cool, right? That means they at least addressed Spectre and patched the open source intel-microcode included in many Mint installations on Intel chips.

Only thing is, several people on this board have strongly suggested users do NOT enable this processor microcode if they don't need to. That is to say, they make it sound like you're either wasting your time doing so, or could potentially brick your system. It's been made on these forums to sound like if you switch over to this driver, you are making a potentially fatal error in judgment and you're a complete n00b for trying it without a computer science degree. But to me, it seems absolutely imperative that I switch to this driver because it was released specifically in response to Spectre. I will switch to it after writing this post. And then if what the old guard around here warns me is true, I'll be purchasing a new system (lol).

So now I wonder, will consensus change? Shouldn't EVERYONE now be instructed to open Driver Manager and switch to this intel-microcode driver? Or was the change to the Linux kernel that was included in Software Manager enough to remedy this security hole? Or do we need some combination of the two? Is Meltdown still a threat, since only Spectre was mentioned? Or did the kernel update mitigate both threats?

I'd love to hear your thoughts.

[thx-1138]

Quite a few misconceptions - but you are correct in that it takes a multi-layered approach. In a simple diagram:
-> BIOS -> (Microcode) -> Kernel -> Recompiled and/or 'corrected' packages (aka. userland)

Intel 'maintains' the microcode in general, regardless of OS, because it's meant for their own products / processors. Yes, in a sense, you could say that they are 'kind enough' to supply us with such. On another context, you could equally also claim that they are required to supply such, since they're selling us their products in the first place (and even more since security updates are needed from time to time as it happens in the current situation).
To keep it short, 'benevolent force of open source altruism' i certainly wouldn't call them to speak off (although they do contribute in the kernel lots of code for their own reasons). The microcode itself is not open source & will most likely never be. It doesn't even come with a proper changelog: no one knows exactly what goes inside them.

Intel's microcode is already contained in your BIOS (...UEFI nowadays). The suggested & recommended method even by microcode's packagers themselves is to update the BIOS. However, a newer BIOS update might not be available for your system from your vendor, hence comes microcode as a simpler solution: it gets loaded from the kernel each time the machine boots & corrects / enhances the processors' behavior.

The reason some people say to be cautious about it is exactly because it alters the execution of instructions. There's always a good chance it won't behave correctly / as expected, and people not being very technically inclined might not notice it or know what to do. If i was to make an over-simplistic comparison, maybe kinda think of it like installing an extra proprietary driver: theoritically, the company responsible made the tests required in the lab, but in real life '...you never know...'
For the record, in my Mint 18.3 installation, the latest microcode was offered as a Level 2 update.

In regards to the title now, "how to ensure"...to keep it as short as possible:
1) Keep an eye for an updated BIOS from your vendor.
2) If such isn't available / an option, install the latest microcode, chances are it will still mitigate the dangers. Run dmesg | grep microcode after installing it: if it reports a date at least newer than 2017-06-01, it means that the package included patches for your processor. If it reports an older date, a newer microcode update at some later point might still provide support & fixes for it.
3) Keep your kernel updated per instructions here. If / when newer required kernels get released, it's 110% certain that some notice & instructions will be provided around here. Spectre hasn't been patched yet on Canonical's kernels, only Meltdown.
4) Last but certainly not least, make sure to have installed the latest versions of the browsers you're using, and (obviously) that they are regularly updated via Update Manager...

[Moem]

4) Last but certainly not least, make sure to have installed the latest versions of the browsers you're using, and (obviously) that they are regularly updated via Update Manager...

... or in a different way, as long as they're regularly updated.
For example, Pale Moon and Waterfox have their own updating systems. They are both invulnerable against Spectre.

Apart from this addition, thank you for this clear and thorough explanation!

[Deadtroopers]

Driver Manager reports Version 3.20180108.0-ubuntu16.04.2 in use. Running dmesg | grep microcode returns 'date = 2013-06-017'. I don't think that is terribly useful.

[jameskga]

Dude, excellent responses. Thank you guys so much. I have just two more questions.

The microcode itself is not open source & will most likely never be. It doesn't even come with a proper changelog: no one knows exactly what goes inside them.

1) Do you think the driver is mislabeled 'open-source' in Driver Manager?



Could it be I am thinking of the wrong microcode, or maybe the wrong instance of this term, or something like that?

2) In his latest response, Deadtroopers suggests the microcode listed in Driver Manager is out-of-date or useless. I don't know whether that's true, but let's say hypothetically it is true (and add to our hypothetical Canonical patched the kernel to beat both Spectre and Meltdown): Does running deprecated microcode break threat protections provided in the kernel? Or to phrase the question another way, would running bunk microcode override or contradict those protections, reopening security risks?

[thx-1138]

The Driver Manager indeed has a small glitch & mislabels intel-microcode as open source.

It is always the newest microcode that gets loaded: if the BIOS has a newer version included / 'embedded' within it, the kernel will simply ignore an older dated manually installed intel-microcode package. Ie. to simplify this: the system will always use the newest one available, regardless of where it finds it.

Now, say for example in the above case, where the date returned is 2013-06-17:
it is useless in that in won't protect from Spectre - being that old, it obviously doesn't contain fixes for it.
There is no guarantee whatsoever that Intel will release updated microcode for all older processors.
Yet, it is not useless however in at least the following 2 cases:
1) what was the actual version / date of the microcode that came by default with the BIOS before installing the microcode package? if it was earlier than that, then, it still fixes other past errata. if it is from the same date, so be it, no harm done whatsoever (it merely 'wastes' 2mb of disk size being installed)...
2) having it installed, even if it doesn't get loaded due to it's older date, still ensures that you automatically receive future updates (which as described above, they might or might not provide fixes for your processor...it all comes down to what Intel will decide to fix).

[jglen490]

I'm not sure one can "ensure" that Meltdown and Spectre won't hurt. Mitigate, yes. Diligence, yes. Ensure, not today.

It's a vulnerability, not an exploit - at least today.

This, like everything else pertaining to security, is mitigated by diligently applying patches to the OS and applications as they are made available. Keep yourself educated not only about the vulnerability, but also any exploits should they appear some day. Avoid panic, knee-jerk reactions, and fad approaches to "fixes".