[elrepo] kernel-lt and kernel-ml updates for Meltdown and Spectre
Dave Chiluk
dchiluk at indeed.com
Wed Mar 7 14:14:51 EST 2018
There are different levels of Long-term
https://www.kernel.org/category/releases.html
4.4 is supported till 2022, 4.14. EOLs in 2020.
Dave.
On Wed, Mar 7, 2018 at 7:46 AM Robin P. Blanchard <robin.blanchard at gmail.com>
wrote:
> On Tue, Mar 6, 2018 at 4:48 PM, Phil Perry <phil at elrepo.org> wrote:
> > On 18/01/18 20:57, Phil Perry wrote:
> >>
> >> On 10/01/18 20:36, Phil Perry wrote:
> >>>
> >>> On 10/01/18 20:06, Phil Perry wrote:
> >>>>
> >>>>
> >>>>
> >>>> A vulnerability checker script:
> >>>>
> >>>>
> >>>>
> https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh
> >>>>
> >>
> >> <snip>
> >>
> >>>
> >>> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> >>> * Mitigation 1
> >>> * Hardware (CPU microcode) support for mitigation: YES
> >>> * Kernel support for IBRS: YES
> >>> * IBRS enabled for Kernel space: YES
> >>> * IBRS enabled for User space: NO
> >>> * Mitigation 2
> >>> * Kernel compiled with retpoline option: NO
> >>> * Kernel compiled with a retpoline-aware compiler: NO
> >>> > STATUS: NOT VULNERABLE (IBRS mitigates the vulnerability)
> >>>
> >>
> >> Putting it here so we don't need to keep repeating ourselves:
> >>
> >> The latest elrepo kernels are now compiled with retpoline options
> enabled.
> >>
> >> At present, RHEL does NOT contain a retpoline-aware compiler so
> mitigation
> >> 2 above is not an option at present.
> >>
> >> As I understand, the retpoline patches have made it into the gcc-8
> >> development branch earlier this week, and were backported to the gcc-7
> >> branch a couple days ago. RHEL7 currently ships with gcc-4.8.5 and RHEL6
> >> ships gcc-4.4.7. AFAIK, these are unsupported upstream so it will be up
> to
> >> Red Hat to backport these patches to gcc, if that is even feasible.
> Given
> >> that RH have patched their distro kernels for IBRS, I don't even know if
> >> they are, or intend to work on retpoline.
> >>
> >> At this point in time, if mitigation of Spectre variant 2 is important
> to
> >> you, running the distro kernel with a Spectre-enabled firmware update
> is the
> >> best option.
> >>
> >
> > Red Hat have just released updated kernel and gcc packages for RHEL7.4
> which
> > are retpoline enabled.
> >
> > Now we have a retpoline-enabled compiler, we can look at using it to
> build
> > the latest elrepo kernels for el7.
> >
> > I don't have any information regarding retpoline on el6 at present.
>
>
> Would this, then, be an opportune time to revisit bumping the LTS
> kernel from 4.4 to 4.14 ?
> _______________________________________________
> elrepo mailing list
> elrepo at lists.elrepo.org
> http://lists.elrepo.org/mailman/listinfo/elrepo
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.elrepo.org/pipermail/elrepo/attachments/20180307/174cb6b1/attachment.html>
More information about the elrepo
mailing list