On or about January 3, 2018, Google's security team disclosed a security vulnerability in Intel processor chips. The vulnerability incident originated from a design bug at the chip hardware level. Exploiting the vulnerability can allow processes with user privileges to access unauthorized CPUs. Cached data, which may lead to attackers to obtain some sensitive data on the user's device, such as passwords, login keys, users' private photos, emails, instant messaging information and even trade secret documents.
Microarchitectural block diagram of out-of-order execution. Meltdown uses the part of the execution engine in the figure, and Ghost uses the part of the branch predictor in the figure.
Tianjin Kirin urgently convened the security R&D and emergency response team at the first time, started the major vulnerability processing process, analyzed the cause of the vulnerability, analyzed the affected products, and discussed the development of a patch upgrade solution for this vulnerability. Up to now, there has been no report of the actual impact of this vulnerability on users.
Tianjin Kirin has carried out patch upgrades for its Galaxy Kirin operating system products based on X86 processors, and issued a security notice to relevant users, prompting the version patch update. The official website is now available for users and partners to download and update.
Users and partners who need to download the updated code, please go to the official website of Tianjin Kylinos Information Technology Co., Ltd. (www.kylinos.cn) to obtain relevant information and code download links. This update is V3.2.8 and V3.2.5 of Galaxy Kylinos operating system based on X86 processor. For details, see http://archive.kylinos.cn/security-updates.
In view of the fact that the domestic CPU Feiteng processor is temporarily not affected by this vulnerability, for this platform, Galaxy Kirin operating system has also strengthened security through this vulnerability patch update and user-mode application unauthorized access restrictions. We will continue to pay attention to ensure that customers are provided with security. reliable system. Users, please pay close attention to the update of the patch release, update the system in time and apply the firmware update provided by the device manufacturer to effectively prevent their devices from receiving this vulnerability attack.
银河麒麟操作系统具有基于标记的执行控制机制,实现对应用程序的合法性和完整性标记,确保只有合法且完整的动态链接库、可执行程序及内核模块才允许加载和执行,严格限制非法应用程序的加载执行权限,增加该漏洞的利用难度。针对英特尔处理器平台,银河麒麟操作系统已经做了漏洞修复,将内核空间与用户空间使用的内核页表进行了隔离,确保用户态应用程序的访问隔离,但该修复补丁将对性能有一定影响,针对用户的不同应用场景,系统提供了针对此漏洞的内核开关供用户自行配置。
CPU补丁修复说明
补丁安装方法:
参考光盘内置对应的帮助文件或者README文件
补丁对应CVE修复情况:
CVE-2017-5753: 仅需软件补丁修复,补丁不可被禁用;
CVE-2017-5715: 需要通过软件补丁和微码升级同时开启,补丁可被禁用;微码需要由硬件厂商提供,或者到对应的厂商网站下载;
CVE-2017-5754: 仅需通过软件补丁修复,补丁可被禁用;
如何关闭补丁:
取消CVE-2017-5715补丁功能:
(1)永久关闭,在启动参数中加入 noibrs noibpb
(2)动态关闭,挂载debugfs文件系统(mount -t debugfs nodev /sys/kernel/debug),并执行echo 0 > /sys/kernel/debug/x86/ibrs_enabled
echo 0 > /sys/kernel/debug/x86/ibpb_enabled
取消CVE-2017-5754补丁功能:
(1)永久关闭,在启动参数加入nopti
(2)动态关闭,挂载debugfs文件系统(mount -t debugfs nodev /sys/kernel/debug),并执行echo 0 > /sys/kernel/debug/x86/pti_enabled