Is there any news on a patch for Meltdown/Spectre? I believe it has been fixed in the latest core Android patch, but I was wondering how long this might take to come through to the Fairphone OS particularly as this has been such à widely publicised vulnerability…
For me as a Lineage (LOS) user the question is:
Do i have to live with the fixes LOS (same applies to Ubuntu etc.) includes in their updates?
I think they cannot include proprietory fixes for specific hardware due to the numerous different phones using alternative software.
I understood that even when using Lineage OS for Fairphone 2 fixes for modem software are available e.g. modem-17.11.2.zip2
Is there any chance that Fairphone makes available in the same way also other specific proprietory security fixes?
Spectre should be fixed with the update Tuesday (assuming LOS backports these fixes which is a fair bet). You can verify by checking patch level at Settings -> About phone -> Android security patch level. Should be as Ingo stated after Tuesday.
Meltdown, as far as its known today, only affects Intel and a few rare ARM processors: Cortex-A15, Cortex-A57, Cortex-A72. Snapdragon 810 is based on A57. FP2 is a Snapdragon 800 though.
See this article for current information and which hardware is affected:
FP2 issues a Snapdragon 801 (Qualcomm MSM8974PRO-AA and MSM8974PRO-AB), which is a SoC that includes 4x Qualcomm® Krait™ 400 CPU. “[Krait CPUs were] introduced in 2012 as a successor to the Scorpion CPU and although it has architectural similarities, Krait is not a Cortex-A15 core, but it was designed in-house.” (Wikipedia). More importantly, Meltdown and Spectre are vulnerabilities built around speculative code execution, a capability Krait 400 has.
(Opinion) FP2’s CPU is probably not directly affected by Meltdown, but as Spectre is a processor design flaw, patches will be needed for each derived vulnerability.
Also, I want to add an useful article to understand those vulnerabilities here (ignore the title):
Thanks @Roboe for the details about the Krait 400 CPU etc…
As the last sentence is “only” (I don’t want to say that it is useless ) your Opinion, are there any reliable information in the meanwhile how exactly the FP2 is affected?
@Douwe: Ok, we can expect necessary patches in the February release. (of course LineageOS and Ubuntu Touch, etc. will get patches by the maintainers separatly so Fairphone cannot say anything about that)
But maybe Fairphone can say something official if the FPs are effected by Spectre only or Meltdown+Spectre and so on. Maybe a little blogpost helps as well.
You’re right. Although my opinion is never a “plain” opinion —I know some things about how tech work, — it was non-reliable opinion, after all, and marked as such.
Searching for some info, these articles emerged:
In a nutshell, Qualcomm SoCs are affected by those vulnerabilities. However, only Cortex-A75 —not in any shipping product at the moment— is affected by Meltdown. FP2 (Snapdragon 801 SoC/Krati 400 CPU) is based on Cortex-A15 architecture.
I don’t think anyone can be more specific because only Qualcomm knows specific details about their hardware implementations.
From the customer relations standpoint, it would be good of FP to put an official statement on the support page for such a high-profile issue, detailing how they intend to handle the issue, and in which time frame. Would be a nice change from the usual FUD approach of most IT giants.
This vulnerability  got released in the news the other day:
A backporting error was discovered in the Linux stable/longterm kernel 4.4.x through 4.4.190, 4.9.x through 4.9.190, 4.14.x through 4.14.141, 4.19.x through 4.19.69, and 5.2.x through 5.2.11. Misuse of the upstream “x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()” commit reintroduced the Spectre vulnerability that it aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because two (correctly ordered) code lines were swapped.
TL;DR all Linux kernel (longterm)stable versions were vulnerable to Spectre v1 up till… well, current git? Cause I still don’t see Linux kernel 5.2.12 released, to name an example.
I’m not entirely sure at which date the vulnerability got reintroduced.
Whether this applies to FP1/FP2 I do not know. I know that FP2 runs Linux kernel 3.16 (on LOS 16, and supposedly also other OSes use this kernel cause of blobs) which isn’t mentioned as affected.
While I assume they backported the Meltdown and Spectre fixes, including this bug, it has to be carefully verified.
Has anyone tried such? Where can I browse the source used?
Yes they do, but only into the maintained versions at https://www.kernel.org/ by the kernel developers - currently 3.16 is the oldest version there. Linux distributors backport fixes to other kernels used in their own long term support distros, but none of the main distros is on 3.4 as far as I can see. (Red Hat/CentOS still maintain a 3.10 and 2.6.32 kernel)
I don’t think Fairphone has the resources to backport these fixes themselves, security issues like these would probably require a professional kernel developer.