layout-3layout-6layout-1layout-top
NVIDIA Docs Hub   NVIDIA Networking   Networking Software  

Knowledge Base

layout-toplayout-6layout-1

Spectre and Meltdown Vulnerability Fixes

Issue

Patches are available to remedy these Spectre and Meltdown vulnerabilities:

Environment

  • This issue applies to Cumulus Linux 3.0.0 - 3.7.12 ESR only. Cumulus Linux 4.0.0 and later enable the Spectre and Meltdown patches by default.

Verified Platforms

NVIDIA has tested and verified that the patches are available for the following platforms; the resolution listed below applies to all supported platforms:

  • Dell Z9100-ON
  • Dell Z9264F-ON
  • Edgecore AS6712-32X
  • Edgecore  AS5712-54X
  • HPE Altoline 6940
  • HPE Altoline 6920
  • NVIDIA Spectrum

Resolution

NVIDIA applied the patches to the Cumulus Linux 3.7.4 kernel and later releases, but disabled them by default in the 3.7.x branch. NVIDIA disabled them because, although NVIDIA has done extensive testing, this fix includes many kernel changes and can impact switch performance. If you wish, you can leave this fix disabled.

You enable the patches by configuring some kernel command line options in GRUB configuration files, rebooting the switch, then updating your switch BIOS.

The command line option is in the /etc/default/grub.d/00-spectre-meltdown.cfg file. If you installed Cumulus Linux 3.7.4 from the binary installation image, the command line option also appears in /etc/default/grub.

To apply the patches, do the following:

  1. Edit the /etc/default/grub.d/00-spectre-meltdown.cfg file as follows:

    cumulus@switch:~$ sed -i "s/GRUB_CMDLINE_LINUX_DEFAULT/#GRUB_CMDLINE_LINUX_DEFAULT/" /etc/default/grub.d/00-spectre-meltdown.cfg

  2. If you did a binary install of Cumulus Linux 3.7.4 or later, you also must edit /etc/default/grub as follows:

    cumulus@switch:~$ sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="quiet noibrs noibpb nolfence spectre_v2=off nopti"/#GRUB_CMDLINE_LINUX_DEFAULT="quiet noibrs noibpb nolfence spectre_v2=off nopti"\
GRUB_CMDLINE_LINUX_DEFAULT="quiet"/' /etc/default/grub

  3. Run update-grub:

    cumulus@switch:~$ update-grub

  4. Reboot the switch.

  5. Update the BIOS on your switch. For information on how to do this, contact your switch manufacturer.

  6. Verify that the GRUB option was successfully enabled, check /proc/cmdline to make sure the following does not exist:

    cumulus@switch:~$ grep "noibrs noibpb nolfence spectre_v2=off nopti" /proc/cmdline
cumulus@switch:~$

    You can also verify that the GRUB option was successfully enabled by checking:

    cumulus@switch:~$ rgrep . /sys/devices/system/cpu/vulnerabilities
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: lfence
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: IBRS IBPB
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
cumulus@switch:~$

    Copyright © 2024  NVIDIA Corporation