This is another follow-up post on the Intel processor vulnerabilities. Yay. With more bad news. Yay!
Instead of a long build-up, I will just give you the point: 32 bit is broken
Well, is that really news? Not really. The real news is that Intel processors are broken - but you already know that. You also know that there are fixes around. Patches for the kernel. Disabling Intel(R) Hyper-Threading.
But what when you are running 32 bit x86 code?
We have a new page on the IPFire Web User Interface which shows the status of your hardware. For most people, this will be very blue like here. Most Intel processors have it all. If you are running an older Intel Atom processor you might have a dash of green in there, but generally every Intel CPU if affected by at least something.
These mitigations are not fixes. They literally mitigate the impact and make an attack virtually impossible. But there is still a very small likelihood that an attacker might be successful. That will never go away. The hardware is fundamentally broken.
The Lack of Mitigations on 32 bit architectures
In this post, I would like to highlight, that when you are using a CPU that is affected by Meltdown, you won't have any mitigations for it when running IPFire in 32 bit mode. In short: it is not patched.
Why is that? The Linux kernel just doesn't have mitigations for it. Instead of talking about why that actually is, I would to tell you the consequences of it: Your system is not secure. An attacker that is able to inject any code into the system will be able to run a Meltdown exploit and compromise your crypto material and be root
.
This is by the way not a problem that is exclusive to IPFire. It affects all distributions.
As always, there is a bit of a workaround: If you are running into this problem, it is quite likely that you are running a modern processor, but with the 32 bit version of IPFire. The fix is to upgrade IPFire to 64 bit - which can only be done with re-installing the whole system (and restore a backup of course).
If you have a processor that is affected by Meltdown but does not support 64 bit (not sure if they even exist), then the only solution is throwing that box away. It is no longer secure hardware and therefore won't run as a secure firewall.
There you have it. Me telling you bad news again. There is nothing we can do for you here. It is your call now to become active and upgrade your installation. It might be painful, but you will have to do it.
The actual consequence for the IPFire project should be to pull the 32 bit version. That would be the right thing to do. It has become a second-class citizen in the Linux space and we knew that this would happen for quite some time now. Fixes will be - if at all - rolled out only very very slowly. For us, that means that we have to do more work to make this happen and I am becoming less and less interesting in doing that...
I am personally feeling very exhausted about this whole topic. The time that we have spent on researching the vulnerabilities, assessing how severe they are for IPFire, what we can do about it. And of course finally implementing and rolling out fixes. Time that is literally wasted and would have been better invested on other things.
It is being made worse by some actors who spread wrong information, only half the information to make a certain vendor look better when it actually is really bad. I have not seen a single article in the press that has shed light on the whole problem and in detail. It is only headlines these days.
For us it feels a lot like we are now all cleaning up after a profit-hungry corporation that had nothing else in their mind but making profit. Money, money, money. It's a rich man's world.
Now, it seems that those problems are making Intel even richer. People are throwing away old hardware and buying new one with exactly the same (or more) vulnerabilities. Some have to compensate for the loss of performance and add more servers. More profit again.
I do not want to give any recommendation on what to buy now. I can only say what I would do and maybe that is useful to some people. I would like to say that I would no longer buy Intel products. But where are the alternatives? If I had to replace my laptop, there are probably not many with an alternative processor. Servers traditionally come with Intel processors, too. So I would probably end up buying Intel again and patching the hell out of it, hoping that we won't find more vulnerabilities that require expensive mitigations.
But I of course expect more problems to be found in the future. Jumping ship to AMD might be worth a try. But the next vulnerability might hit them, too. Even other architectures like ARM are partly affected.
Rant Over
Thanks for still being with me. Here are the take-aways from this post:
- Intel processors are fundamentally broken. Mitigations are not fixes - no matter what their marketing tells you.
- If you are running IPFire on 32 bit and your processor supports 64 bits and is affected by one of these vulnerabilities, reinstall now
- Now!