[elrepo] kernel-lt and kernel-ml updates for Meltdown and Spectre
Phil Perry
phil at elrepo.org
Tue Mar 6 17:48:27 EST 2018
On 18/01/18 20:57, Phil Perry wrote:
> On 10/01/18 20:36, Phil Perry wrote:
>> On 10/01/18 20:06, Phil Perry wrote:
>>>
>>>
>>> A vulnerability checker script:
>>>
>>> https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh
>>>
>>>
>
> <snip>
>
>>
>> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
>> * Mitigation 1
>> * Hardware (CPU microcode) support for mitigation: YES
>> * Kernel support for IBRS: YES
>> * IBRS enabled for Kernel space: YES
>> * IBRS enabled for User space: NO
>> * Mitigation 2
>> * Kernel compiled with retpoline option: NO
>> * Kernel compiled with a retpoline-aware compiler: NO
>> > STATUS: NOT VULNERABLE (IBRS mitigates the vulnerability)
>>
>
> Putting it here so we don't need to keep repeating ourselves:
>
> The latest elrepo kernels are now compiled with retpoline options enabled.
>
> At present, RHEL does NOT contain a retpoline-aware compiler so
> mitigation 2 above is not an option at present.
>
> As I understand, the retpoline patches have made it into the gcc-8
> development branch earlier this week, and were backported to the gcc-7
> branch a couple days ago. RHEL7 currently ships with gcc-4.8.5 and RHEL6
> ships gcc-4.4.7. AFAIK, these are unsupported upstream so it will be up
> to Red Hat to backport these patches to gcc, if that is even feasible.
> Given that RH have patched their distro kernels for IBRS, I don't even
> know if they are, or intend to work on retpoline.
>
> At this point in time, if mitigation of Spectre variant 2 is important
> to you, running the distro kernel with a Spectre-enabled firmware update
> is the best option.
>
Red Hat have just released updated kernel and gcc packages for RHEL7.4
which are retpoline enabled.
Now we have a retpoline-enabled compiler, we can look at using it to
build the latest elrepo kernels for el7.
I don't have any information regarding retpoline on el6 at present.
More information about the elrepo
mailing list