Skip to content

Upgrading SONiC kernel to 3.16.0‐5 or later versions

Jump to bottom
Qi Luo edited this page Jan 23, 2018 · 7 revisions

Motivation

Recnet vulnerabilities in Linux kernel including Meltdown and Spectre will probably leak passwords and sensitive data.

  1. Meltdown is a hardware vulnerability affecting Intel x86 microprocessors and some ARM-based microprocessors. It allows a rogue process to read any kernel memory, even when it is not authorized to do so. Debian has addressed the known Meltdown attack vectors, CVE-2017-5754 in Linux kernel 3.16.0-5.

  2. Spectre breaks the isolation between different applications. CVE-2017-5715 and CVE-2017-5753 are the official references to Spectre. Debian is still open for this attack. Check the latest status.

SONiC is currently based on Debian Linux kernel 3.16.0-4 and has these vulnerabilities. To make SONiC switches secure in large scale cloud environment, we should take prompt actions to upgrade its kernel to latest kernel version and keep following up with future versions for security kernel patches.

Approach

SONiC uses Debian Linux kernel 3.16.0-4 for both base image and containers. There are several steps to upgrade SONiC to Linux kernel 3.16.0-5.

  1. Upgrade base image to Linux kernel 3.16.0-5

  2. Upgrade ASIC drivers to Linux kernel 3.16.0-5

  3. Upgrade ASIC SDK/SAI to Linux kernel 3.16.0-5

  4. Upgrade platform drivers (sensors/led/fan/...) to Linux kernel 3.16.0-5

Progress

What has been done so far

  1. Built Debian Linux kernel 3.16.0-5.

  2. Built a base image with Linux kernel 3.16.0-5

  3. Tested the basic Linux operation with the base image on one Mellanox platform.

  4. Tested the basic Linux operation and recompiled Opennsl on one Broadcom platform

  5. Built several open source kernel modules (igb/ixgb) with Linux kernel 3.16.0-5

Ongoing source code and images

  • Target SONiC branch is an personal branch.
  • Testing SONiC image is at the 'Details' links in pull request checks here.

Limitation

  • None of platform drivers/SDK/SAI has been ported to 3.16.0-5.

Timeline

  • Target finish within one month after Debian releases security patch

    • CVE-2017-5754 releases on Jan 8, 2018
    • To be updated for future fixes

Development model

  • Pull request against the target SONiC branch before it is merged into Azure:master. Review will happens on the personal repo

  • The branches will be periodically (1~2 weeks) or on-demand rebased to Azure:master to sync with latest development.

Call for Action

  • Porting ASIC drivers/SDK/SAI to Linux kernel 3.16.0-5

    • ASIC vendors please submit PR against the personal branch
    • Microsoft will review and merge to the personal branch
    • ASIC vendors please wait the pull request build ready on webpage
    • ASIC vendors please fetch the new image at the 'Details' links in pull request checks here.
    • ASIC vendors please test the new image
    • Microsoft will merge the personal branch to Azure:master

  • Porting other platform drivers to Linux kernel 3.16.0-5

    • Platform vendors please submit PR against the personal branch
    • Microsoft will review and merge to Azure:master
    • Platform vendors please wait the pull request build ready on webpage
    • Platform vendors please fetch the new image at the 'Details' links in pull request checks here.
    • Platform vendors please test the new image
    • Microsoft will merge the personal branch to Azure:master
Clone this wiki locally