This page details status for Chrome OS devices regarding the Meltdown and Spectre vulnerabilities, also known as "speculative execution vulnerabilities" described by Google Project Zero. (Previously located at https://www.chromium.org/chrome-os-devices-and-kernel-versions.) MeltdownGoogle has been working on updates that contain the Kernel Page Table Isolation (KPTI) mitigation for Meltdown. ARM Chrome OS devices are not affected by Meltdown. Most Intel devices received KPTI with M63. All Intel devices have received KPTI with M66, and therefore all Intel Chrome OS devices are now protected against Meltdown.
(2018-May-22: Updated to note that all Intel devices are now protected against Meltdown.)
Variant 3 (CVE-2017-5754)The following subsections indicate the vulnerability status of Chrome OS hardware for Variant 3 (CVE-2017-5754), which is also referred to as Meltdown.
Older Intel devicesThese devices with kernel 3.14 have received the KPTI / KAISER patch in Chrome OS 65 and are protected against Meltdown:
These devices with kernel 3.8 have received the KPTI / KAISER patch in Chrome OS 66 and are protected against Meltdown:
ARM devicesARM Chrome OS devices are not affected by Meltdown. This applies to the following devices:
SpectreThe following subsections indicate Chrome OS status with respect to the Spectre vulnerability (also referred to as "Variant 1" and "Variant 2" in the Project Zero blog post). Spectre potentially allows access to data held in other processor execution contexts. The victim execution context (kernel or process) must have certain code patterns in their address space.Variant 1 (CVE-2017-5753)The Linux kernel has a feature called eBPF that is used to run untrusted code. The Project Zero blog post describes how this can be abused by attackers to generate vulnerable code patterns in the kernel. However, Chrome OS disables eBPF in its kernels and therefore is not exposed to Spectre Variant 1 via eBPF. Additional Spectre variant 1 mitigations available in the Chrome browser are described here.Variant 2 (CVE-2017-5715)The Project Zero blog post describes how virtualization can be used to exploit Spectre Variant 2. Chrome OS devices that ship Linux VMs contain mitigations for Spectre variant 2.
(2018-Oct-05: Updated to reflect usage of virtualization features on Chrome OS; fixes for ARM devices on kernel 3.18.)
Intel devicesOn Intel devices we’ve deployed the Retpoline compiler-based mitigation for all Chrome OS kernels, starting with Chrome OS 65. This mitigation prevents kernel-to-user, guest-to-guest, and host-to-guest information leaks using Spectre variant 2.
ARM devicesOn ARM devices we’ve started integrating firmware and kernel patches supplied by ARM. ARM devices will receive updated firmware and kernels before they enable virtualization features. Some ARM devices on 4.4 kernels received Spectre variant 2 fixes with Chrome OS 67. These fixes were later discovered to be incomplete and updated with Chrome OS 70:
Some ARM devices on 3.18 kernels will receive Spectre variant 2 fixes with Chrome OS 71: Speculative store buffer bypass (variant 4)Vulnerability descriptionFollowing on their Meltdown and Spectre research, Google's Project Zero disclosed a fourth variant of their speculative execution attacks, Speculative store buffer bypass (CVE-2018-3639). On Chrome OS this variant affects the Chrome browser and is also mitigated by Site Isolation. Chrome OS responseChrome OS 67 enables Site Isolation by default across the Chrome OS fleet. Chrome OS 67 will be released on the stable channel around June 5, 2018. Site isolation may increase memory use by approximately 10%. For more information on Site isolation, including how to enable it manually, see the Chrome Help article. Affected devicesIntel devices with Core processors, or Apollo Lake Atom processors, are affected by this variant. ARM devices with MTK8173 processors, or RK3399 processors, are affected by this variant. The cpu line in the chrome:system page will show what CPU the device has.
The following list covers affected devices that will be mitigated in Chrome OS 67: |
Chromium OS >