Meltdown and Spectre - Processor Speculative Execution Vulnerabilities (NI Linux Real-Time)

Overview

This article applies to NI Linux Real-Time-based controllers. For Windows-based systems, see here. VxWorks and PharLap based controllers are not impacted.

NI is aware of the side-channel analysis vulnerabilities described in CVE-2017-5715, CVE-2017-5753, CVE-2017-5754, CVE-2018-3640, CVE-2018-3639, CVE-2018-3615, CVE-2018-3620, CVE-2018-3646 known as Meltdown, Spectre, and Foreshadow, affecting many modern microprocessors. We are working with our silicon suppliers and OS vendors to ensure that our products include the appropriate mitigations. Presently, we are unaware of cases where these vulnerabilities have been used maliciously.

Contents

Further Information

The Meltdown and Spectre vulnerabilities are unspecific to any one vendor and take advantage of techniques commonly used in most modern processor architectures. This means a large range of products are affected. Mitigations could include updates to both OSs and firmware (BIOS).

NI recommends customers follow security best practices to protect against exploitation of vulnerabilities. These practices include adopting software updates, avoiding unrecognized hyperlinks and websites, not downloading files or applications from unknown sources, and following secure password policies. 

NI has observed some negative system performance impact from applying the mitigations. Generally, performance degradation is in line with reports from the industry. In some cases, the impact could be significant but is specific to the application. Due to the system performance impact, these mitigations may be disabled by default

NI Linux Real-Time distributions based on LabVIEW Real-Time 2019 and later (linux kernel 4.14+RT or later and firmware version 7.0 or later) ship with several security mitigations addressing the following CVEs:

  • CVE-2017-5715 (aka. Spectre v2) 
  • CVE-2017-5754 (aka. Meltdown) 
  • CVE-2018-3620, CVE-2018-3646 (aka. L1 Terminal Fault Attack) 
  • CVE-2018-3639 (aka. Spectre v4) 

Mitigation Guidance

Depending on the NI Linux Real-Time controller, you may need to perform one or more of the following steps.

  • Apply the BIOS update provided by NI for the controller. Refer to the "Affected Products" section below.
  • Upgrade to Firmware (safemode OS) version 7.0, format, and re-install software to the controller.
  • Enable the mitigations in the operating system.  
     

For more information on upgrading the firmware and enabling the mitigations in the OS, please refer to Enabling Security Mitigations for Meltdown and Spectre on NI Linux Real-Time Controllers.

Affected Products

NI Linux Real-Time (Intel x64) Controller List 

A BIOS update and a Firmware update is necessary to address Meltdown, Spectre Variant 1, 2 & 4, and Foreshadow (as of 6/1/2019).

ControllersBIOS Update
PXIe-8840 QC2.1.3f0
PXIe-8861Ships with BIOS mitigations
PXIe-88802.1.2f0
cDAQ-91321.3.1.f0
cDAQ-91331.3.1.f0
cDAQ-91341.3.1.f0
cDAQ-91351.3.1.f0
cDAQ-91361.3.1.f0
cDAQ-91371.3.1.f0
cRIO-90301.3.3f0
cRIO-90311.3.3f0
cRIO-90321.3.3f0 WiFi
cRIO-90331.3.3f0
cRIO-90341.3.3f0
cRIO-90351.3.3f0
cRIO-9035 (Sync)1.3.3f0
cRIO-90361.3.3f0
cRIO-90371.3.3f0 WiFi
cRIO-90381.3.3f0
cRIO-90391.3.3f0
cRIO-9039 (Sync)1.3.3f0
cRIO-90401.2.1f0
cRIO-90421.2.1f0
cRIO-90431.2.1f0
cRIO-90451.2.1f0
cRIO-90471.2.1f0
cRIO-90481.2.1f0
cRIO-9048 TPM1.2.1f0 TPM
cRIO-90491.2.1f0
IC-31201.3.1f0
IC-31211.3.1f0
NI CVS-1458RT1.3.0f0
NI CVS-1459RT1.3.0f0
IC 31711.1.2f0
IC 31721.1.2f0
IC-31731.1.2f0
ISC-17801.10.035*
ISC-17811.10.035*
ISC-17821.10.035*
ISC-17831.10.035*

*To upgrade your ISC hardware to BIOS version 1.10.05 contact NI Technical Support at ni.com/support

CompactDAQ/CompactRIO/Vision/OEM Controller (NI Linux Real-Time ARM) List

A Firmware update to 7.0 for ARM-based controllers is necessary to address Spectre Variant 1 & 2 before enabling mitigations (As of 6/1/2019).

Controllers
cRIO-9063
cRIO-9064
cRIO-9065
cRIO-9066
cRIO-9067
cRIO-9068
sbRIO-9607
sbRIO-9627
sbRIO-9637
sbRIO-9651
myRIO-1900
myRIO-1950
NI-7931
NI-7932
NI-7935
NI roboRIO
NI ELVIS RIO Control Module

 

For more information on the update process, refer to Upgrading Firmware on my NI Linux Real-Time Devices and Enabling Security Mitigations for Meltdown and Spectre on NI Linux Real-Time Controllers.

Was this information helpful?

Yes

No