14 DAY TRIAL // In an update published on Monday, Fedora Project informs users of the Fedora Linux operating system that it continues to work on mitigating the Meltdown and Spectre security vulnerabilities.
In the article, Laura Abbott, Fedora Kernel Engineer at Red Hat, explains what has been done until now to mitigate both Meltdown and Spectre attacks on supported Fedora Linux distributions. As Meltdown is easier to fix than Spectre, the KPTI (Kernel Page-table Isolation) patches have already reached the Fedora Linux repositories, but Indirect Branch Restricted Speculation (IBRS) patches for Spectre are on their way.
"The fixes for Meltdown are mostly underway. The Meltdown fix for x86 is KPTI. KPTI has been merged into the mainline Linux tree and many stable trees, including the ones Fedora uses," says Laura Abbott. "The IBRS patches are still under review and should be merged eventually but will not be available in time for [Linux] 4.15. When the IBRS patches are available, we will be backporting them to Fedora stable branches."
Retpoline kernel support is coming in the next few days
One of the solutions to mitigate one of the variants of the Spectre security vulnerability is to implement retpoline support in the kernel, which won't allow speculation by the CPU. Abbott says that Retpoline kernel support is coming in the next few days for all supported Fedora releases to provide users with a certain degree of protection against Spectre attacks, but there's a lot more to be done for a complete protection.
Users should keep in mind that the combination of IBRS and retpoline patches will only cover the second variant of Spectre vulnerability, as the first one doesn’t have a solution at the moment of writing, and, as one of the security researchers behind the discovery of Specter and Meltdown exploits said, "Spectre will hunt us for years." Meanwhile, you can check if your Linux PC is vulnerable to these exploits.
That's why we recommend keeping your computers up-to-date at all times. Fedora Project is dedicated to continually monitoring Spectre fixes and will bring them when they're ready. They are backed by Red Hat, which already patched its enterprise series of operating systems, stating earlier this month that these updates might have an impact on the performance of the affected machines.