[elrepo] kernel-lt and kernel-ml updates for Meltdown and Spectre
Robin P. Blanchard
robin.blanchard at gmail.com
Wed Mar 7 08:45:55 EST 2018
On Tue, Mar 6, 2018 at 4:48 PM, Phil Perry <phil at elrepo.org> wrote:
> On 18/01/18 20:57, Phil Perry wrote:
>>
>> On 10/01/18 20:36, Phil Perry wrote:
>>>
>>> On 10/01/18 20:06, Phil Perry wrote:
>>>>
>>>>
>>>>
>>>> A vulnerability checker script:
>>>>
>>>>
>>>> https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh
>>>>
>>
>> <snip>
>>
>>>
>>> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
>>> * Mitigation 1
>>> * Hardware (CPU microcode) support for mitigation: YES
>>> * Kernel support for IBRS: YES
>>> * IBRS enabled for Kernel space: YES
>>> * IBRS enabled for User space: NO
>>> * Mitigation 2
>>> * Kernel compiled with retpoline option: NO
>>> * Kernel compiled with a retpoline-aware compiler: NO
>>> > STATUS: NOT VULNERABLE (IBRS mitigates the vulnerability)
>>>
>>
>> Putting it here so we don't need to keep repeating ourselves:
>>
>> The latest elrepo kernels are now compiled with retpoline options enabled.
>>
>> At present, RHEL does NOT contain a retpoline-aware compiler so mitigation
>> 2 above is not an option at present.
>>
>> As I understand, the retpoline patches have made it into the gcc-8
>> development branch earlier this week, and were backported to the gcc-7
>> branch a couple days ago. RHEL7 currently ships with gcc-4.8.5 and RHEL6
>> ships gcc-4.4.7. AFAIK, these are unsupported upstream so it will be up to
>> Red Hat to backport these patches to gcc, if that is even feasible. Given
>> that RH have patched their distro kernels for IBRS, I don't even know if
>> they are, or intend to work on retpoline.
>>
>> At this point in time, if mitigation of Spectre variant 2 is important to
>> you, running the distro kernel with a Spectre-enabled firmware update is the
>> best option.
>>
>
> Red Hat have just released updated kernel and gcc packages for RHEL7.4 which
> are retpoline enabled.
>
> Now we have a retpoline-enabled compiler, we can look at using it to build
> the latest elrepo kernels for el7.
>
> I don't have any information regarding retpoline on el6 at present.
Would this, then, be an opportune time to revisit bumping the LTS
kernel from 4.4 to 4.14 ?
More information about the elrepo
mailing list