PGP ID: 0xBD83B92B2F4BFD99
Fingerprint: 7B85 0961 8D82 0DF6 39241BB6 BD83 B92B 2F4B FD99
Latest posts by Kyle Rankin (see all)
- Tamper-evident Boot Update: Making Heads More Usable - March 9, 2018
- Librem adds tamper-evident features, now most secure laptop under full customer control - February 27, 2018
- The Great Puri.sm Outage of 2018 - February 20, 2018
Purism has released a patch for Meltdown (CVE-2017-5754, aka variant 3) as part of PureOS, and includes this latest PureOS image as part of all new Librem laptop shipments. Purism is also providing a microcode update for Intel processors to address Spectre variant 2 (CVE-2017-5715).
Securing an existing PureOS installation
Applying the patch for Meltdown
Running Software Update will upgrade PureOS to include the linux-kernel package and associated dependencies to the 4.14.12 patched version.
This update will require a reboot to apply, after which you should see that you are running 4.14.12. You can use the uname command to check:
user@librem-13v2:~$ uname -a
Linux librem-13v2 4.14.0-3-amd64 #1 SMP Debian 4.14.12-2 (2018-01-06) x86_64 GNU/Linux
Applying the patch for Spectre
Unfortunately, at the moment, patching Spectre variant 2 requires applying a proprietary CPU microcode update from Intel. Since PureOS contains only free software, this means that Purism customers owning Librem laptops will need to add a new repository from Purism (completely independent of the PureOS software repositories) to download and apply this microcode update.
First, create a file called
/etc/apt/sources.list.d/purism.list that contains the following lines:
# non-free Purism repo for microcode deb http://deb.puri.sm/pureos/ green contrib non-free
You will need root permissions to edit this file so if you would like to do this with a graphical editor hit Alt-F2 and type:
sudo gedit /etc/apt/sources.list.d/purism.list or if you want to use a text editor in a terminal type
sudo nano /etc/apt/sources.list.d/purism.list (no text editor holy wars please!)
Then, add the Purism repository key to your APT keyring:
wget -O - https://deb.puri.sm/pureos/key/purism-nonfre-repo.gpg.key | sudo apt-key add -
Once you have added the key, use
apt-key finger to verify that you have the following key, and that its fingerprint matches:
$ apt-key finger ... pub rsa4096 2018-01-14 [SC] [expires: 2028-01-12] CC2B 0E61 FE48 7DCD 96FA 632C 64CD 8D1B DE94 49B1 uid [ unknown] Purism non-free package repository (Signing key for the Purism non-free repository for PureOS) <firstname.lastname@example.org>
Then use apt to install the intel-microcode package:
$ sudo apt update $ sudo apt install intel-microcode
Version 20180108.1 or newer contains the patch for Spectre variant 2. Like with the Meltdown patch, this will require a reboot to take effect.
New installations are secured
Downloadable PureOS installation images have been updated accordingly, and anyone downloading and installing the latest images will be protected against Meltdown. If you reinstall PureOS, you will still need to perform the above steps in the “Applying the Patch for Spectre” section as PureOS doesn’t include the non-free Intel microcode package.
As for Purism customers, all new laptop shipments include Meltdown and Spectre patches, as they will have the latest PureOS image (that includes the Meltdown patch) preloaded and will also have the Spectre variant 2 patch applied. All existing Purism customers will need to follow the above steps to make sure they are protected against both Meltdown and Spectre variant 2.