| 1 |
On Wednesday, 31 January 2018 12:20:51 GMT Nikos Chantziaras wrote: |
| 2 |
> On 31/01/18 14:04, Mick wrote: |
| 3 |
> > Just to dilute my confusion on what I should do to keep desktops safe(r), |
| 4 |
> > would someone please clarify: |
| 5 |
> > |
| 6 |
> > Is it necessary to keyword gcc 7.3 + kernel 4.15 and emerge kernel 4.15 |
| 7 |
> > with gcc 7.3, or wait until these versions have been stabilised in the |
| 8 |
> > tree? |
| 9 |
> > |
| 10 |
> > What gcc version shall I use to update @world from then on? |
| 11 |
> > |
| 12 |
> > PS. Some desktops are Intel, some are AMD and I also have 3-4 devices with |
| 13 |
> > ARM in them ... |
| 14 |
> |
| 15 |
> At the moment, you do need GCC 7.3. However, there is talk about these |
| 16 |
> new flags being ported to GCC 6 and possibly even older versions. |
| 17 |
> |
| 18 |
> As for the kernel, you don't need 4.15. 4.14 is the latest LTS kernel, |
| 19 |
> and it has the needed patches. I think 4.9 (the previous LTS kernel) has |
| 20 |
> them too. |
| 21 |
|
| 22 |
Kernel 4.14.15 has the latest patches, so I stayed with the 4.14 series. |
| 23 |
|
| 24 |
|
| 25 |
> Currently, once you enable CONFIG_RETPOLINE in the kernel config and |
| 26 |
> rebuild with GCC 7.3, you should have all currently available kernel |
| 27 |
> mitigations. Which currently are: |
| 28 |
> |
| 29 |
> $ cat /sys/devices/system/cpu/vulnerabilities/* |
| 30 |
> Mitigation: PTI |
| 31 |
> Vulnerable |
| 32 |
> Mitigation: Full generic retpoline |
| 33 |
|
| 34 |
I'm good here: |
| 35 |
|
| 36 |
$ dmesg | grep -i Spectre |
| 37 |
[ 0.011822] Spectre V2 mitigation: Mitigation: Full generic retpoline |
| 38 |
|
| 39 |
although this post indicates Skylake may still be vulnerable: |
| 40 |
|
| 41 |
https://lkml.org/lkml/2018/1/4/724 |
| 42 |
|
| 43 |
Anyway, as I understand it, we'll have to wait for gcc-8.1 in March, which |
| 44 |
utilises 'gcc -mindirect-branch=thunk-extern' to get the benefit of the |
| 45 |
retpoline kernel patch. |
| 46 |
|
| 47 |
|
| 48 |
> However, improvements to these mitigations will from now on happen for |
| 49 |
> kernel 4.16 first and backported later. 4.16 for example got mitigations |
| 50 |
> for ARM. It's how kernel upstream works; new stuff is done in the |
| 51 |
> current development version, and backported later to still supported |
| 52 |
> versions. |
| 53 |
|
| 54 |
Spectre_v1 still shown as vulnerable on both Intel and AMD. Is there a fix |
| 55 |
planned for this? |
| 56 |
|
| 57 |
-- |
| 58 |
Regards, |
| 59 |
Mick |
Archives