<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Thanks Lachlan,<div class=""><br class=""></div><div class="">So the key to having IBRS/IBPB is a retpolite aware compiler...</div><div class=""><br class=""></div><div class=""><blockquote type="cite" cite="mid:C0A8765E-6473-4A0B-9E60-3EE9F01E7E60@smcleod.net" style="background-color: rgb(255, 255, 255);" class=""><blockquote type="cite" class=""><div class=""><div class=""><div class="" style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);"> * Kernel compiled with a retpoline-aware compiler: <span class="" style="color: rgb(44, 44, 44); background-color: rgb(198, 40, 40);"> NO </span> (kernel reports minimal retpoline compilation)</div></div></div></blockquote></blockquote></div><div class=""><br class=""></div><div class="">What a mess this whole thing is (preaching to the choir I'm sure) - it's turned my head inside out more than once.</div><div class=""><br class=""></div><div class="">Thanks again for the clarification.</div><div class=""><br class=""></div><div class=""><div class="">
<div dir="auto" style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;">--<br class="">Sam McLeod (protoporpoise on IRC)</div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><a href="https://smcleod.net" class="">https://smcleod.net</a><br class="">https://twitter.com/s_mcleod<br class=""><br class="">Words are my own opinions and do not necessarily represent those of my employer or partners.</div></div></div></div>
</div>
<div><br class=""><blockquote type="cite" class=""><div class="">On 31 Jan 2018, at 10:47 am, Lachlan Musicman <<a href="mailto:datakid@gmail.com" class="">datakid@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="auto" style="font-family: Helvetica; font-size: 13px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><div class=""><div class="gmail_extra"><div class="gmail_quote">On 31 Jan. 2018 10:35 am, "Sam McLeod" <<a href="mailto:mailinglists@smcleod.net" class="">mailinglists@smcleod.net</a>> wrote:<br type="attribution" class=""><blockquote class="quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-style: solid; border-left-color: rgb(204, 204, 204); padding-left: 1ex;"><div style="word-wrap: break-word; line-break: after-white-space;" class="">Hi Trevor,<div class=""><br class=""></div><div class="">I didn't think that to compile a kernel with IBRS/IBPB your<span class="Apple-converted-space"> </span><i class="">compiler</i> had to be updated as well?</div><div class="">I thought that was a seperate issue but perhaps I'm mistaken.<div class="quoted-text"><br class=""><div class=""><div dir="auto" style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; word-wrap: break-word; line-break: after-white-space;" class=""><div dir="auto" style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; word-wrap: break-word; line-break: after-white-space;" class=""><div dir="auto" style="word-wrap: break-word; line-break: after-white-space;" class=""><div style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;" class=""></div></div></div></div></div></div></div></div></blockquote></div></div></div><div dir="auto" class=""><br class=""></div><div dir="auto" class="">Yes, it does require a newer compiler...you can see the details of why here:</div><div dir="auto" class=""><br class=""></div><div dir="auto" class=""><a href="https://support.google.com/faqs/answer/7625886" class="">https://support.google.com/faqs/answer/7625886</a><br class=""></div><div dir="auto" class=""><br class=""></div><div dir="auto" class="">Cheers</div><div dir="auto" class="">L.</div><div dir="auto" class=""><br class=""></div><div dir="auto" class=""><br class=""></div><div dir="auto" class=""><br class=""></div><div dir="auto" class=""><br class=""></div><div dir="auto" class=""><br class=""></div><div dir="auto" class=""><div class="gmail_extra"><div class="gmail_quote"><blockquote class="quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-style: solid; border-left-color: rgb(204, 204, 204); padding-left: 1ex;"><div style="word-wrap: break-word; line-break: after-white-space;" class=""><div class=""><div class="quoted-text"><div class=""><div dir="auto" style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; word-wrap: break-word; line-break: after-white-space;" class=""><div dir="auto" style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; word-wrap: break-word; line-break: after-white-space;" class=""><div dir="auto" style="word-wrap: break-word; line-break: after-white-space;" class=""><div style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;" class=""><br class="">--<br class="">Sam McLeod<br class=""><a href="https://smcleod.net/" target="_blank" class="">https://smcleod.net</a><br class=""><a href="https://twitter.com/s_mcleod" target="_blank" class="">https://twitter.com/s_mcleod</a></div></div></div></div></div></div><div class="elided-text"><div class=""><br class=""><blockquote type="cite" class=""><div class="">On 31 Jan 2018, at 12:22 am, Trevor Hemsley <<a href="mailto:themsley@voiceflex.com" target="_blank" class="">themsley@voiceflex.com</a>> wrote:</div><br class="m_1858835190506110400Apple-interchange-newline"><div class=""><div text="#000000" bgcolor="#FFFFFF" class=""><div class="m_1858835190506110400moz-cite-prefix">Sam<br class=""><br class="">I'm not ELRepo but I don't think they can do that until/unless RH fix the compilers in the distro to be retpoline aware. If they do.<br class=""><br class="">And, in any case, Intel have pretty much said "don't use the new microcode" so there is no working microcode available that the kernel can use anyway. All the vendors have pulled their BIOS updates and backed out e.g. the microcode_ctl updates.<br class=""><br class="">Trevor<br class=""><br class="">On 30/01/18 08:42, Sam McLeod wrote:<br class=""></div><blockquote type="cite" class="">Are there any plans to enable IBRS/IBPB in the kernel-ml kernels?<div class=""><br class=""></div><div class="">While I understand the desire to keep the builds as ‘stock’ as possible, given the potential impact of the this I’d consider it a worth enabling unless I’m misunderstanding the situation?</div><div class=""><br class=""><div class=""><div class=""><div class=""><div class=""><div dir="auto" style="word-wrap: break-word; line-break: after-white-space;" class=""><div dir="auto" style="word-wrap: break-word; line-break: after-white-space;" class=""><div dir="auto" style="word-wrap: break-word; line-break: after-white-space;" class=""><div class=""><font class=""><span style="background-color: rgba(255, 255, 255, 0);" class="">--<br class="">Sam McLeod<br class=""><a href="https://smcleod.net/" target="_blank" class="">https://smcleod.net</a><br class=""><a href="https://twitter.com/s_mcleod" target="_blank" class="">https://twitter.com/s_mcleod</a></span></font></div><div class=""><font class=""><span style="background-color: rgba(255, 255, 255, 0);" class=""><br class=""></span></font></div></div></div></div></div></div></div></div><div class=""><br class="">On 30 Jan 2018, at 10:09 am, Sam McLeod <<a href="mailto:mailinglists@smcleod.net" target="_blank" class="">mailinglists@smcleod.net</a>> wrote:<br class=""><br class=""></div><blockquote type="cite" class=""><div class="">For those wondering about the status of Spectre and Meltdown on kernel-ml 4.15, below is the output of the speed47 test (<a href="https://github.com/speed47/spectre-meltdown-checker" target="_blank" class="">https://github.com/speed47/<wbr class="">spectre-meltdown-checker</a>).<div class=""><br class=""></div><div class="">I've found this to be consistent between CentOS 7 VMs (PVHVM) on XenServer 7.2 w/ E5-2660 CPUs and physical servers using older X5650 CPUs.</div><div class=""><br class=""></div><div class="">So it looks like at present we're still vulnerable to Spectre Variant 1 and 2 with Kernel 4.15, obviously resolving this in full will require a working microcode update from Intel.<br class=""><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class=""># ./spectre-meltdown-checker.sh</div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(100, 181, 246); background-color: rgb(0, 0, 0);" class="">Spectre and Meltdown mitigation detection tool v0.33+</div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0); min-height: 18px;" class=""><br class=""></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class="">Checking for vulnerabilities on current system</div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(106, 30, 154); background-color: rgb(0, 0, 0);" class=""><span style="color: rgb(234, 234, 234);" class="">Kernel is<span class="Apple-converted-space"> </span></span>Linux 4.15.0-1.el7.elrepo.x86_64 #1 SMP Sun Jan 28 20:45:20 EST 2018 x86_64</div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(106, 30, 154); background-color: rgb(0, 0, 0);" class=""><span style="color: rgb(234, 234, 234);" class="">CPU is<span class="Apple-converted-space"> </span></span>Intel(R) Xeon(R) CPU E5-2660 0 @ 2.20GHz</div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0); min-height: 18px;" class=""><br class=""></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(100, 181, 246); background-color: rgb(0, 0, 0);" class="">Hardware check</div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class="">* Hardware support (CPU microcode) for mitigation techniques</div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class=""> <span class="Apple-converted-space"> </span>* Indirect Branch Restricted Speculation (IBRS)</div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class=""> <span class="Apple-converted-space"> </span>* SPEC_CTRL MSR is available: <span style="color: rgb(44, 44, 44); background-color: rgb(198, 40, 40);" class=""><span class="Apple-converted-space"> </span>NO</span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class=""> <span class="Apple-converted-space"> </span>* CPU indicates IBRS capability: <span style="color: rgb(44, 44, 44); background-color: rgb(198, 40, 40);" class=""><span class="Apple-converted-space"> </span>NO</span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class=""> <span class="Apple-converted-space"> </span>* Indirect Branch Prediction Barrier (IBPB)</div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class=""> <span class="Apple-converted-space"> </span>* PRED_CMD MSR is available: <span style="color: rgb(44, 44, 44); background-color: rgb(198, 40, 40);" class=""><span class="Apple-converted-space"> </span>NO</span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class=""> <span class="Apple-converted-space"> </span>* CPU indicates IBPB capability: <span style="color: rgb(44, 44, 44); background-color: rgb(198, 40, 40);" class=""><span class="Apple-converted-space"> </span>NO</span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class=""> <span class="Apple-converted-space"> </span>* Single Thread Indirect Branch Predictors (STIBP)</div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class=""> <span class="Apple-converted-space"> </span>* SPEC_CTRL MSR is available: <span style="color: rgb(44, 44, 44); background-color: rgb(198, 40, 40);" class=""><span class="Apple-converted-space"> </span>NO</span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class=""> <span class="Apple-converted-space"> </span>* CPU indicates STIBP capability: <span style="color: rgb(44, 44, 44); background-color: rgb(198, 40, 40);" class=""><span class="Apple-converted-space"> </span>NO</span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class=""> <span class="Apple-converted-space"> </span>* Enhanced IBRS (IBRS_ALL)</div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class=""> <span class="Apple-converted-space"> </span>* CPU indicates ARCH_CAPABILITIES MSR availability: <span style="color: rgb(44, 44, 44); background-color: rgb(198, 40, 40);" class=""><span class="Apple-converted-space"> </span>NO</span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class=""> <span class="Apple-converted-space"> </span>* ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: <span style="color: rgb(44, 44, 44); background-color: rgb(198, 40, 40);" class=""><span class="Apple-converted-space"> </span>NO</span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class=""> <span class="Apple-converted-space"> </span>* CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): <span style="color: rgb(44, 44, 44); background-color: rgb(21, 101, 192);" class=""><span class="Apple-converted-space"> </span>NO</span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class=""> <span class="Apple-converted-space"> </span>* CPU microcode is known to cause stability problems: <span style="color: rgb(44, 44, 44); background-color: rgb(85, 139, 47);" class=""><span class="Apple-converted-space"> </span>NO</span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class="">* CPU vulnerability to the three speculative execution attacks variants</div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class=""> <span class="Apple-converted-space"> </span>* Vulnerable to Variant 1: <span style="color: rgb(44, 44, 44); background-color: rgb(198, 40, 40);" class=""><span class="Apple-converted-space"> </span>YES</span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class=""> <span class="Apple-converted-space"> </span>* Vulnerable to Variant 2: <span style="color: rgb(44, 44, 44); background-color: rgb(198, 40, 40);" class=""><span class="Apple-converted-space"> </span>YES</span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class=""> <span class="Apple-converted-space"> </span>* Vulnerable to Variant 3: <span style="color: rgb(44, 44, 44); background-color: rgb(198, 40, 40);" class=""><span class="Apple-converted-space"> </span>YES</span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0); min-height: 18px;" class=""><br class=""></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(100, 181, 246); background-color: rgb(0, 0, 0);" class="">CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'</div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class="">* Mitigated according to the /sys interface: <span style="color: rgb(44, 44, 44); background-color: rgb(198, 40, 40);" class=""><span class="Apple-converted-space"> </span>NO </span><span class="Apple-converted-space"> </span>(kernel confirms your system is vulnerable)</div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(44, 44, 44); background-color: rgb(0, 0, 0);" class=""><span style="color: rgb(234, 234, 234);" class="">><span class="Apple-converted-space"> </span></span><span style="background-color: rgb(0, 131, 143);" class="">STATUS:</span><span style="color: rgb(234, 234, 234);" class=""> </span><span style="background-color: rgb(198, 40, 40);" class=""><span class="Apple-converted-space"> </span>VULNERABLE </span><span style="color: rgb(234, 234, 234);" class=""><span class="Apple-converted-space"> </span>(Vulnerable)</span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0); min-height: 18px;" class=""><br class=""></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(100, 181, 246); background-color: rgb(0, 0, 0);" class="">CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'</div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class="">* Mitigated according to the /sys interface: <span style="color: rgb(44, 44, 44); background-color: rgb(198, 40, 40);" class=""><span class="Apple-converted-space"> </span>NO </span><span class="Apple-converted-space"> </span>(kernel confirms your system is vulnerable)</div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class="">* Mitigation 1</div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class=""> <span class="Apple-converted-space"> </span>* Kernel is compiled with IBRS/IBPB support: <span style="color: rgb(44, 44, 44); background-color: rgb(198, 40, 40);" class=""><span class="Apple-converted-space"> </span>NO</span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class=""> <span class="Apple-converted-space"> </span>* Currently enabled features</div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class=""> <span class="Apple-converted-space"> </span>* IBRS enabled for Kernel space: <span style="color: rgb(44, 44, 44); background-color: rgb(198, 40, 40);" class=""><span class="Apple-converted-space"> </span>NO</span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class=""> <span class="Apple-converted-space"> </span>* IBRS enabled for User space: <span style="color: rgb(44, 44, 44); background-color: rgb(198, 40, 40);" class=""><span class="Apple-converted-space"> </span>NO</span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class=""> <span class="Apple-converted-space"> </span>* IBPB enabled: <span style="color: rgb(44, 44, 44); background-color: rgb(198, 40, 40);" class=""><span class="Apple-converted-space"> </span>NO</span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class="">* Mitigation 2</div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class=""> <span class="Apple-converted-space"> </span>* Kernel compiled with retpoline option: <span style="color: rgb(44, 44, 44); background-color: rgb(85, 139, 47);" class=""><span class="Apple-converted-space"> </span>YES</span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class=""> <span class="Apple-converted-space"> </span>* Kernel compiled with a retpoline-aware compiler: <span style="color: rgb(44, 44, 44); background-color: rgb(198, 40, 40);" class=""><span class="Apple-converted-space"> </span>NO </span><span class="Apple-converted-space"> </span>(kernel reports minimal retpoline compilation)</div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class=""> <span class="Apple-converted-space"> </span>* Retpoline enabled: <span style="color: rgb(44, 44, 44); background-color: rgb(85, 139, 47);" class=""><span class="Apple-converted-space"> </span>YES</span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class="">><span class="Apple-converted-space"> </span><span style="color: rgb(44, 44, 44); background-color: rgb(0, 131, 143);" class="">STATUS:</span> <span style="color: rgb(44, 44, 44); background-color: rgb(198, 40, 40);" class=""><span class="Apple-converted-space"> </span>VULNERABLE </span><span class="Apple-converted-space"> </span>(Vulnerable: Minimal generic ASM retpoline)</div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0); min-height: 18px;" class=""><br class=""></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(100, 181, 246); background-color: rgb(0, 0, 0);" class="">CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'</div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class="">* Mitigated according to the /sys interface: <span style="color: rgb(44, 44, 44); background-color: rgb(85, 139, 47);" class=""><span class="Apple-converted-space"> </span>YES </span><span class="Apple-converted-space"> </span>(kernel confirms that the mitigation is active)</div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class="">* Kernel supports Page Table Isolation (PTI): <span style="color: rgb(44, 44, 44); background-color: rgb(85, 139, 47);" class=""><span class="Apple-converted-space"> </span>YES</span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class="">* PTI enabled and active: <span style="color: rgb(44, 44, 44); background-color: rgb(85, 139, 47);" class=""><span class="Apple-converted-space"> </span>YES</span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class="">* Running as a Xen PV DomU: <span style="color: rgb(44, 44, 44); background-color: rgb(85, 139, 47);" class=""><span class="Apple-converted-space"> </span>NO</span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(44, 44, 44); background-color: rgb(0, 0, 0);" class=""><span style="color: rgb(234, 234, 234);" class="">><span class="Apple-converted-space"> </span></span><span style="background-color: rgb(0, 131, 143);" class="">STATUS:</span><span style="color: rgb(234, 234, 234);" class=""> </span><span style="background-color: rgb(85, 139, 47);" class=""><span class="Apple-converted-space"> </span>NOT VULNERABLE </span><span style="color: rgb(234, 234, 234);" class=""><span class="Apple-converted-space"> </span>(Mitigation: PTI)</span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0); min-height: 18px;" class=""><br class=""></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "IBM Plex Mono"; color: rgb(234, 234, 234); background-color: rgb(0, 0, 0);" class="">A false sense of security is worse than no security at all, see --disclaimer</div><div class=""><div dir="auto" style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; word-wrap: break-word; line-break: after-white-space;" class=""><div dir="auto" style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; word-wrap: break-word; line-break: after-white-space;" class=""><div dir="auto" style="word-wrap: break-word; line-break: after-white-space;" class=""><div style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;" class=""><br class="">--<br class="">Sam McLeod<br class=""><a href="https://smcleod.net/" target="_blank" class="">https://smcleod.net</a><br class=""><a href="https://twitter.com/s_mcleod" target="_blank" class="">https://twitter.com/s_mcleod</a></div></div></div></div></div><div class=""><br class=""><blockquote type="cite" class=""><div class="">On 30 Jan 2018, at 5:20 am, Alan Bartlett <<a href="mailto:ajb@elrepo.org" target="_blank" class="">ajb@elrepo.org</a>> wrote:</div><br class="m_1858835190506110400Apple-interchange-newline"><div class=""><div class="">Announcing the release of the kernel-ml-4.15.0-1.el7.elrepo package<br class="">set into the EL7 elrepo-kernel repository:<br class=""><br class=""><a href="https://elrepo.org/tiki/kernel-ml" target="_blank" class="">https://elrepo.org/tiki/<wbr class="">kernel-ml</a><br class=""><br class="">The following files are currently synchronising to our mirror sites:<br class=""><br class="">x86_64<br class="">kernel-ml-4.15.0-1.el7.elrepo.<wbr class="">x86_64.rpm<br class="">kernel-ml-devel-4.15.0-1.el7.<wbr class="">elrepo.x86_64.rpm<br class="">kernel-ml-doc-4.15.0-1.el7.<wbr class="">elrepo.noarch.rpm<br class="">kernel-ml-headers-4.15.0-1.<wbr class="">el7.elrepo.x86_64.rpm<br class="">kernel-ml-tools-4.15.0-1.el7.<wbr class="">elrepo.x86_64.rpm<br class="">kernel-ml-tools-libs-4.15.0-1.<wbr class="">el7.elrepo.x86_64.rpm<br class="">kernel-ml-tools-libs-devel-4.<wbr class="">15.0-1.el7.elrepo.x86_64.rpm<br class="">perf-4.15.0-1.el7.elrepo.x86_<wbr class="">64.rpm<br class="">python-perf-4.15.0-1.el7.<wbr class="">elrepo.x86_64.rpm<br class=""><br class="">nosrc<br class="">kernel-ml-4.15.0-1.el7.elrepo.<wbr class="">nosrc.rpm<br class=""><br class="">We provide these kernels for hardware testing in an effort to identify<br class="">new/updated drivers which can then be targeted for backporting as kmod<br class="">packages. Meanwhile, these kernels may provide interim relief to<br class="">people with non-functional hardware. We stress that we consider such<br class="">kernels as a last resort for those who are unable to get their<br class="">hardware working using the RHEL-7 kernel with supplementary kmod<br class="">packages.<br class=""><br class="">These packages are provided "As-Is" with no implied warranty or<br class="">support. Using the kernel-ml may expose your system to security,<br class="">performance and/or data corruption issues. Since timely updates may<br class="">not be available from the ELRepo Project, the end user has the<br class="">ultimate responsibility for deciding whether to continue using the<br class="">kernel-ml packages in regular service.<br class=""><br class="">The packages are intentionally named kernel-ml so as not to conflict<br class="">with the RHEL-7 kernels and, as such, they may be installed and<br class="">updated alongside the regular kernel. The kernel configuration is<br class="">based upon a default RHEL-7 configuration with added functionality<br class="">enabled as appropriate.<br class=""><br class="">If a bug is found when using these kernels, the end user is encouraged<br class="">to report it upstream to the Linux Kernel Bug Tracker [1] and, for our<br class="">reference, to the ELRepo bug tracker [2]. By taking such action, the<br class="">reporter will be assisting the kernel developers, Red Hat and the Open<br class="">Source Community as a whole.<br class=""><br class="">Thank you,<br class=""><br class="">The ELRepo Team.<br class=""><br class="">[1]<span class="Apple-converted-space"> </span><a href="https://bugzilla.kernel.org/" target="_blank" class="">https://bugzilla.kernel.org/</a><br class="">[2]<span class="Apple-converted-space"> </span><a href="https://elrepo.org/bugs/" target="_blank" class="">https://elrepo.org/bugs/</a><br class="">______________________________<wbr class="">_________________<br class="">elrepo mailing list<br class=""><a href="mailto:elrepo@lists.elrepo.org" target="_blank" class="">elrepo@lists.elrepo.org</a><br class=""><a href="http://lists.elrepo.org/mailman/listinfo/elrepo" target="_blank" class="">http://lists.elrepo.org/<wbr class="">mailman/listinfo/elrepo</a><br class=""></div></div></blockquote></div><br class=""></div></div></div></blockquote><blockquote type="cite" class=""><div class=""><span class="">______________________________<wbr class="">_________________</span><br class=""><span class="">elrepo mailing list</span><br class=""><span class=""><a href="mailto:elrepo@lists.elrepo.org" target="_blank" class="">elrepo@lists.elrepo.org</a></span><br class=""><span class=""><a href="http://lists.elrepo.org/mailman/listinfo/elrepo" target="_blank" class="">http://lists.elrepo.org/<wbr class="">mailman/listinfo/elrepo</a></span><br class=""></div></blockquote></div><br clear="all" class="">______________________________<wbr class="">______________________________<wbr class="">__________<br class="">This email has been scanned by the Symantec Email Security.cloud service.<br class="">For more information please visit<span class="Apple-converted-space"> </span><a class="m_1858835190506110400moz-txt-link-freetext" href="http://www.symanteccloud.com/" target="_blank">http://www.symanteccloud.com</a><br class="">______________________________<wbr class="">______________________________<wbr class="">__________<br class=""><br class=""><fieldset class="m_1858835190506110400mimeAttachmentHeader"></fieldset><br class=""><pre class="">______________________________<wbr class="">_________________
elrepo mailing list
<a class="m_1858835190506110400moz-txt-link-abbreviated" href="mailto:elrepo@lists.elrepo.org" target="_blank">elrepo@lists.elrepo.org</a>
<a class="m_1858835190506110400moz-txt-link-freetext" href="http://lists.elrepo.org/mailman/listinfo/elrepo" target="_blank">http://lists.elrepo.org/<wbr class="">mailman/listinfo/elrepo</a>
</pre></blockquote><p class=""><br class=""></p></div></div></blockquote></div><br class=""></div></div></div><br class="">______________________________<wbr class="">_________________<br class="">elrepo mailing list<br class=""><a href="mailto:elrepo@lists.elrepo.org" class="">elrepo@lists.elrepo.org</a><br class=""><a href="http://lists.elrepo.org/mailman/listinfo/elrepo" rel="noreferrer" target="_blank" class="">http://lists.elrepo.org/<wbr class="">mailman/listinfo/elrepo</a><br class=""><br class=""></blockquote></div><br class=""></div></div></div><span style="font-family: Helvetica; font-size: 13px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">_______________________________________________</span><br style="font-family: Helvetica; font-size: 13px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 13px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">elrepo mailing list</span><br style="font-family: Helvetica; font-size: 13px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><a href="mailto:elrepo@lists.elrepo.org" style="font-family: Helvetica; font-size: 13px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">elrepo@lists.elrepo.org</a><br style="font-family: Helvetica; font-size: 13px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><a href="http://lists.elrepo.org/mailman/listinfo/elrepo" style="font-family: Helvetica; font-size: 13px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">http://lists.elrepo.org/mailman/listinfo/elrepo</a></div></blockquote></div><br class=""></div></body></html>