We are already looking into the Meltdown and Spectre vulnerabilities. We made a list of all our supported devices, and are trying to get patches into ResinOS as fast as we can.
One thing to keep in mind is that Meltdown and Spectre require code execution on the device, so these vulnerabilities can only be exploited once an attacker is already able to execute code on the device itself.
You are right the Raspberry Pi is not affected, but the Beaglebone Black using a Cortex-A8 processor is affected by Variant 1 and 2 of Spectre. https://developer.arm.com/support/security-update
We are looking into the kernel patches for KPTI (Kernel page-table isolation) and how we get this patches into ResinOS as fast as possible. ARM points to arm64 linux kernel patches for KPTI (Kernel page-table isolation) https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git/log/?h=kpti
The base images are not affected by Variant 2, because docker containers do not have their own kernel, but are just “namespaced” within the kernel of the host-OS.
Variant 1 becomes a problem when untrusted code is executed in a sand boxed environment. We are currently trying to find situations where this could be a problem in ResinOS. One example for this would also be the eBPF system in the kernel.
For devices that are affected by Variant 3 of Spectre (aka Meltdown) the same kernel patches (KPTI) will mitigate the problem.
Variant 3a which might leak information from privileged system registers, does not require any additional software mitigation.
For more technical details on how Spectre and Meltdown affect ARM devices and what software mitigation’s are available we can refer to the ARM Whitepaper https://developer.arm.com/support/security-update/download-the-whitepaper
We will open up issues for these in the device repositories of ResinOS https://github.com/resin-os/, where we will track the progress on these.