[elrepo] kernel-lt and kernel-ml updates for Meltdown and Spectre

Phil Perry phil at elrepo.org
Fri Mar 9 17:47:10 EST 2018 

On 06/03/18 22:48, Phil Perry wrote:
> On 18/01/18 20:57, Phil Perry wrote:
>>
>> Putting it here so we don't need to keep repeating ourselves:
>>
>> The latest elrepo kernels are now compiled with retpoline options 
>> enabled.
>>
>> At present, RHEL does NOT contain a retpoline-aware compiler so 
>> mitigation 2 above is not an option at present.
>>
>> As I understand, the retpoline patches have made it into the gcc-8 
>> development branch earlier this week, and were backported to the gcc-7 
>> branch a couple days ago. RHEL7 currently ships with gcc-4.8.5 and 
>> RHEL6 ships gcc-4.4.7. AFAIK, these are unsupported upstream so it 
>> will be up to Red Hat to backport these patches to gcc, if that is 
>> even feasible. Given that RH have patched their distro kernels for 
>> IBRS, I don't even know if they are, or intend to work on retpoline.
>>
>> At this point in time, if mitigation of Spectre variant 2 is important 
>> to you, running the distro kernel with a Spectre-enabled firmware 
>> update is the best option.
>>
> 
> Red Hat have just released updated kernel and gcc packages for RHEL7.4 
> which are retpoline enabled.
> 
> Now we have a retpoline-enabled compiler, we can look at using it to 
> build the latest elrepo kernels for el7.
> 

Alan has just released the latest kernel-ml-4.15.8 packages for el7, and 
has confirmed the retpoline status:


# ./spectre-meltdown-checker -v
Spectre and Meltdown mitigation detection tool v0.35

Checking for vulnerabilities on current system
Kernel is Linux 4.15.8-1.el7.elrepo.x86_64 #1 SMP Fri Mar 9 11:45:52 EST 
2018 x86_64
CPU is AMD Phenom(tm) 9550 Quad-Core Processor

<snip>

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'

* Mitigation 2
   * Kernel compiled with retpoline option: YES
   * Kernel compiled with a retpoline-aware compiler: YES (kernel 
reports full retpoline compilation)
 > STATUS: NOT VULNERABLE (Mitigation: Full generic retpoline)


Many thanks Alan for all your hard work!

More information about the elrepo mailing list