1 |
Hi, |
2 |
|
3 |
the last publicly available version of PaX / grsecurity will probably |
4 |
never be ported to work with the Meldown / Spectre fixes. |
5 |
|
6 |
The only option is to use minipli's last release (4.9.74) and port all |
7 |
non-spectre related fixes from upstream's 4.9 branch [1] to it. However |
8 |
you should only run such a kernel on CPUs not affected by Meltdown / |
9 |
Spectre, such as the Raspberry Pi or Intel's Atom (the in-order ones |
10 |
codenamed "Bonnell") [2]. |
11 |
|
12 |
Bear in mind that upstream is porting fixes from PaX to mainline, albeit |
13 |
at a slow pace. I've rebased the last pax-only patch on 4.9.74 but |
14 |
decided for myself that it's not worth maintaining a 4.9 fork. |
15 |
|
16 |
Cheers, |
17 |
Philipp |
18 |
|
19 |
[1] |
20 |
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/?h=linux-4.9.y |
21 |
[2] https://en.wikipedia.org/wiki/List_of_Intel_Atom_microprocessors |
22 |
|
23 |
Am 02.09.2018 22:39 schrieb Ren Nyo: |
24 |
> In minipli's github brunch, in issues someone ported changes up to |
25 |
> 4.9.105. However without spectre and meltdown fixes. You should write |
26 |
> to grsecurity team about personal license. If they will receive many |
27 |
> letters, maybe they make such license available. |
28 |
> |
29 |
> вс, 2 сент. 2018 г., 11:43 Alex Efros <powerman@××××××××.name>: |
30 |
> |
31 |
>> Hi! |
32 |
>> |
33 |
>> On Sat, Apr 14, 2018 at 12:33:55AM +0000, Ren Nyo wrote: |
34 |
>>> I contacted minipli, and he said that unofficial grsecurity |
35 |
>> kernel is |
36 |
>>> frozen. So we should not wait for him to port KPTI and Meltdown. |
37 |
>> |
38 |
>> Looks like there is no progress so far. :( |
39 |
>> |
40 |
>> Is there any other options how to get kernel newer than 4.9.74 with |
41 |
>> GrSecurity/PaX for personal use, or it's now available only for |
42 |
>> high |
43 |
>> price i.e. enterprise-only? |
44 |
>> |
45 |
>> -- |
46 |
>> WBR, Alex. |