Skip to content

Upgrading SONiC kernel to 3.16.0‐5 or later versions

Jump to bottom
Qi Luo edited this page Jan 12, 2018 · 7 revisions

Motivation

Meltdown is a hardware vulnerability affecting Intel x86 microprocessors and some ARM-based microprocessors. It allows a rogue process to read any kernel memory, even when it is not authorized to do so. Meltdown affects a wide range of systems. At the time of disclosure, this included all devices running any but the most recent and patched versions of iOS, Linux, macOS, or Windows.

Debian has addressed one of the three known Meltdown attack vectors, CVE-2017-5754 for Linux kernel 3.16.0-5. As for the other two, CVE-2017-5715 and CVE-2017-5753, Debian is still open for attack. Check the latest status.

SONiC is currently based on Debian Linux kernel 3.16.0-4 and has this vulnerability. To make SONiC switches secure in large scale cloud service, we should take prompt action to upgrade its kernel to latest kernel version and keep following possible future version for security kernel patches.

Approach

SONiC uses Debian Linux kernel 3.16.0-4 for both base image and containers. There are several steps to upgrade SONiC to Linux kernel 3.16.0-5.

  1. Upgrade base image to Linux kernel 3.16.0-5

    Since all docker containers in the same SONiC switch shares the unique host Linux kernel, we should first upgrade base image kernel.

  2. Upgrade platform drivers to Linux kernel 3.16.0-5

  3. Upgrade syncd container to Linux kernel 3.16.0-5

    The syncd container is linked with or using platform specific SDK and SAI, which are build on specific kernel headers. To make them interop correctly with the unique kernel, we should also upgrade its kernel related packages

  4. Upgrade all other containers to Linux kernel 3.16.0-5 The other containers are loosely coupled with Linux kernel. To make the build system consistent, we will finally upgrade them.

Progress

What has been done so far

  • Build Debian Linux kernel 3.16.0-5
  • Build a base image with Linux kernel 3.16.0-5
  • Test the basic Linux operation with the base image on Mellanox platform
  • Build several platform independent kernel modules with Linux kernel 3.16.0-5

Source code and Image

  • new SONiC branch is at here.
  • new SONiC image is at here.

Limitation

  • None of current sonic kernel patch is fully tested.
  • None of platform drivers/SDK/SAI has been ported to 4.9 kernel.

Timeline

  • ??

Development model

  • Pull request against the new SONiC branch before it is merged into Azure:master
  • The branches will be periodically (1~2 weeks) rebased to Azure:master to sync with latest development.

Call for Action

  • Porting ASIC drivers/SDK/SAI to Linux kernel 3.16.0-5
    • ASIC vendors
Clone this wiki locally