<div dir="ltr">There are different levels of Long-term<div><a href="https://www.kernel.org/category/releases.html">https://www.kernel.org/category/releases.html</a><br></div><div><br></div><div>4.4 is supported till 2022, 4.14. EOLs in 2020.</div><div><br></div><div>Dave.</div></div><br><div class="gmail_quote"><div dir="ltr">On Wed, Mar 7, 2018 at 7:46 AM Robin P. Blanchard <<a href="mailto:robin.blanchard@gmail.com">robin.blanchard@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Tue, Mar 6, 2018 at 4:48 PM, Phil Perry <<a href="mailto:phil@elrepo.org" target="_blank">phil@elrepo.org</a>> wrote:<br>
> On 18/01/18 20:57, Phil Perry wrote:<br>
>><br>
>> On 10/01/18 20:36, Phil Perry wrote:<br>
>>><br>
>>> On 10/01/18 20:06, Phil Perry wrote:<br>
>>>><br>
>>>><br>
>>>><br>
>>>> A vulnerability checker script:<br>
>>>><br>
>>>><br>
>>>> <a href="https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh" rel="noreferrer" target="_blank">https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh</a><br>
>>>><br>
>><br>
>> <snip><br>
>><br>
>>><br>
>>> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'<br>
>>> * Mitigation 1<br>
>>> * Hardware (CPU microcode) support for mitigation: YES<br>
>>> * Kernel support for IBRS: YES<br>
>>> * IBRS enabled for Kernel space: YES<br>
>>> * IBRS enabled for User space: NO<br>
>>> * Mitigation 2<br>
>>> * Kernel compiled with retpoline option: NO<br>
>>> * Kernel compiled with a retpoline-aware compiler: NO<br>
>>> > STATUS: NOT VULNERABLE (IBRS mitigates the vulnerability)<br>
>>><br>
>><br>
>> Putting it here so we don't need to keep repeating ourselves:<br>
>><br>
>> The latest elrepo kernels are now compiled with retpoline options enabled.<br>
>><br>
>> At present, RHEL does NOT contain a retpoline-aware compiler so mitigation<br>
>> 2 above is not an option at present.<br>
>><br>
>> As I understand, the retpoline patches have made it into the gcc-8<br>
>> development branch earlier this week, and were backported to the gcc-7<br>
>> branch a couple days ago. RHEL7 currently ships with gcc-4.8.5 and RHEL6<br>
>> ships gcc-4.4.7. AFAIK, these are unsupported upstream so it will be up to<br>
>> Red Hat to backport these patches to gcc, if that is even feasible. Given<br>
>> that RH have patched their distro kernels for IBRS, I don't even know if<br>
>> they are, or intend to work on retpoline.<br>
>><br>
>> At this point in time, if mitigation of Spectre variant 2 is important to<br>
>> you, running the distro kernel with a Spectre-enabled firmware update is the<br>
>> best option.<br>
>><br>
><br>
> Red Hat have just released updated kernel and gcc packages for RHEL7.4 which<br>
> are retpoline enabled.<br>
><br>
> Now we have a retpoline-enabled compiler, we can look at using it to build<br>
> the latest elrepo kernels for el7.<br>
><br>
> I don't have any information regarding retpoline on el6 at present.<br>
<br>
<br>
Would this, then, be an opportune time to revisit bumping the LTS<br>
kernel from 4.4 to 4.14 ?<br>
_______________________________________________<br>
elrepo mailing list<br>
<a href="mailto:elrepo@lists.elrepo.org" target="_blank">elrepo@lists.elrepo.org</a><br>
<a href="http://lists.elrepo.org/mailman/listinfo/elrepo" rel="noreferrer" target="_blank">http://lists.elrepo.org/mailman/listinfo/elrepo</a><br>
</blockquote></div>