I don’t hear much about the current status of Spectre and Meltdown lately and I am not going to pretend that I am an expert on these topics. I will say, it has been marketed very well. Out of curiosity, periodically check the status of the vulnerabilities on my machines. I am running openSUSE Tumbleweed snapshot 20180410 and at the time of writing, with Linux Kernel 4.16.0-1-default.
Since I have trouble remembering the exact command, I tend to just scroll through my bash history to find it so to make my life easier, here it is:
grep . /sys/devices/system/cpu/vulnerabilities/*
This is what my machine says:
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB, IBRS_FW
If you run this on your Linux machine and don’t get the three lines of Meltdown, spectre_v1 and spectre_v2, your kernel is hugely out of date and is in desperate need of updating.
The reality is, there isn’t likely going to be fully secured fix for Spectre and Meltdown. The output from the patch status uses the word mitigation on purpose. It got me thinking, what does mitigation really mean?
According to Dictionary.com:
Lessening the the intensity of something unpleasant… I once thought of computers as something you could truly secure but the reality is, the only secure piece of equipment is one you can’t access at all. Anything that can execute code is going to be vulnerable to some degree and weather it is Linux, Windows or Mac OS they all have their vulnerabilities, Linux just happens to have fewer.
I appreciate all the work of the Linux kernel team in responding to the recently discovered hardware flaws of these modern CPUs. Whether they are Intel, AMD, or ARM (and others?), more permanent hardware fixes won’t be in place for some time but in any complex system, there will always be bugs. The most responsible thing to do, as a user, is to keep your systems updated, know what you are installing, don’t click on sketchy things and perform offline backups of your data.