Don't just be ready. Be application ready.
congatec statement regarding Spectre and Meltdown
There has been recent press coverage regarding a potential security issue related to modern microprocessors and speculative execution.
Security researchers at Google Project Zero notified Intel, AMD, and ARM of new side-channel analysis exploits (referred to as “Spectre” and “Meltdown”).
As all congatec embedded computing products are using CPUs from the named vendors, we are taking this information very serious to ensure the maximum security of our products.
Therefore, we are in contact with Intel, AMD, and NXP to provide the latest information, possible risks and available updates related to our products.
So far, there are three known variants of this issue based on the Google Project Zero (GPZ):
| Google Project Zero (GPZ) Research Title | Mitigation Options (depending on CPU vendor) | ||
|---|---|---|---|
| Variant 1 (aka Spectre) | Bounds Check Bypass Use existing code with access to secrets by making it speculatively execute memory operations | OS update mandatory possibly VMM update | |
| Variant 2 (aka Spectre) | Branch Target Injection Malicious code usurps properties of CPU branch prediction features to speculatively run code | OS update mandatory possibly VMM / firmware update | |
| Variant 3 (aka Meltdown) | Rogue Data Cache Load Access memory controlled by the OS while running a malicious application. | OS update |
Executive summary – Based on the information we have received to date our understanding of the situation can be described as follows for the types of products made by our customers:
- Your products are not general purpose consumer computer products. Rather they are application/function specific products used in a controlled environment with controls regarding access, type of usage, and loading of software.
- These products have been designed with best practices for their application to limit a potential security breach, ie malware, unauthorized user, loading of rogue software, etc.
- The variants mentioned do not change the ability of someone to do any of the actions mentioned in point 2, rather they may increase the ability of what someone can do if they had the ability prior to these variants to breach the system.
- This new side channel analysis method cannot be enabled remotely and any malicious code (malware) utilizing this new method must be running locally on the machine.
- In summary, for Embedded products designed with best practices for restricted usage it does not appear there is an increased risk due to this knowledge. Products that previously experienced problems in regards to point 2 may now be at increased risk.
Suggested next steps:
- Review the use case conditions of your products in light of the descriptions above, identify the specific processor, and the OS being used.
- In the event you believe an OS update is needed,
a) determine if that OS is being updated, and
b) determine the performance impact of the update on your system, and if the performance impact is acceptable. - If your OS is not offering an upgrade there is nothing further that is known to do at this time.
- If you determine an OS upgrade is needed, available, and you have verified the system performance is acceptable - and therefore you would like to have a microcode update from congatec please contact us for further discussion.
Nevertheless, congatec will implement the latest recommendations of the CPU vendors to ensure maximum security of our products:
Intel based products:
Link to additional information:
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
Affected congatec products: All
Variant 1 / Variant 2 – available Microcode updates will be implemented via a BIOS update.
An OS update is mandatory in addition to the latest Microcode version.
Variant 3 – OS update
AMD based products:
Link to additional information:
https://www.amd.com/en/corporate/speculative-execution
Affected congatec products: All
No security updates from congatec are available.
Contact your OS vendor for the latest patches.
ARM based products:
Link to additional information:
https://developer.arm.com/support/security-update
Affected congatec products: All
No security updates from congatec are available.
Contact your OS vendor for the latest patches.
If more information about this topic becomes available this document will be updated.
Disclaimer:
This communication is based on information provided by Intel, AMD, ARM, Microsoft, and Google. All data is for information purposes only. congatec AG provides no warranty with regard to this information contained herein and hereby expressly disclaims any implied warranties of merchantability or fitness for any particular purpose with regard to any of the foregoing.
congatec AG assumes no liability for any damages incurred directly or indirectly from any technical or typographical errors or omissions contained herein or for discrepancies. In no event shall congatec AG be liable for any incidental, consequential, special, or exemplary damages, whether based on tort, contract or otherwise, arising out of or in connection with the information contained herein or the use thereof.
