Linus Torvalds, Linux's primary creator, had good and bad news about the chip security problems Meltdown and Spectre. The good news is the lead up to the Linux 4.15 was "quiet and small, and no last-minute panics, just small fixes for various issues". The bad news? "It's not like we're 'done' with Spectre/Meltdown."
On the Linux Kernel Mailing List (LKML), Torvalds explained, "The bulk of the 4.15 work is all the regular plodding 'boring' stuff. And I mean that in the best possible way. It may not be glamorous and get the headlines, but it's the bread and butter of kernel development, and is in many ways the really important stuff."
Torvalds continued, "While Spectre/Meltdown has obviously been the big news this release cycle, it's worth noting that we obviously had all the *normal* updates going on too, and the work everywhere else didn't just magically stop, even if some developers have been distracted by CPU issues. In the *big* picture, 4.15 looks perfectly normal, with two thirds of the full 4.15 patch being about drivers ... not by CPU bug mitigation."
But, trying to mitigate the Meltdown and Spectre problems still ate up a lot of time and the problems are still far from done. First and foremost, like all operating system developers, Linux is waiting on Intel's hardware designers to complete their firmware and microcode patches.
In its latest quarterly report, Intel CEO Brian Krzanich stated Intel will "restore confidence in data security with customer-first urgency, transparent and timely communication." We're still waiting.
Krzanich also said Intel is "working around the clock" to mitigate the Meltdown and Spectre flaws and that the company will release updated chips later this year to provide a permanent fix. In the long run, totally fixing these hardware architectural design problems may yet require users to replace their CPUs.
In the meantime, Torvalds and the Linux kernel developers realize the job isn't completed and they're still hard at work tackling the security holes.
Torvalds said, "It is worth pointing out that it's not like we're 'done' with Spectre/Meltdown. There is more work pending (arm, spectre-v1, misc details), and perhaps equally importantly, to actually get the biggest fix for the indirect branch mitigations, you need not just the kernel updates, you need to have a compiler with support for the 'retpoline' indirect branch model."
Looking ahead, Torvalds hopes "we'll have a _normal_ and entirely boring release cycle for 4.16. Because boring really is good."