Michael Tremer

Protect yourself better against Meltdown, Spectre and other attacks with IPFire on 64 bit
by Michael Tremer, August 2

With IPFire 2.21, we have rebased the distribution on the latest long-term supported branch of the Linux kernel: Linux 4.14. That allows us to get various bug and security fixes from the upstream kernel maintainers and we will be able to update the kernel quicker and more often.

This is especially important with the latest revelations about hardware vulnerabilities in latest Intel, AMD and ARM processors. Mainly I am talking about Meltdown and Spectre here, but I guess it is safe to expect many similar vulnerabilities to come. They cannot be fixed in the hardware, because they require major changes in the architecture and hardware that is once released can obviously not be changed any more.

The Linux kernel maintainers have been working on mitigations that will no longer allow to exploit those vulnerabilities, but those come at a price. There were various articles about how the processors are slowed down excessively for various workloads and there are more downsides to those mitigations. One of them is, that they were mainly developed and tested on x86_64. The port to the 32 bit x86 architecture (i586 for IPFire) is a lot behind the 64 bit version since most systems run on the latter one now. There is efforts to port the mitigations but significantly less man-power is going into that. Therefore, we would urge everyone who’s hardware supports it to re-install the 64 bit version of IPFire.

Additionally, we had to drop grsecurity from IPFire with the latest release. From a technical perspective, this hurts us since we have lost some pro-active measures to prevent vulnerabilities to be exploited. Some have been ported into the mainline kernel which we got to keep in IPFire, too. The kernel developers again pay most attention to the modern 64 bit architectures that have more hardware features that can be used to reduce any performance penalties because of extended work that has to be done to keep the system secure. Those things never come free of any cost.

Ergo, we would like to give the same advice again and ask you to use the 64 bit version of IPFire to gain best security from these features that they and us have built but only have the lower performance penalty possible.

Posted: August 2 • 1485 views