If you arerunning a current kernel, in
/sys/devices/system/cpu/vulnerabilities you will see there is now an
entry for spec_store_bypass.
On intel machines, you will need updated firmware to be able to fix
that. So, I looked at the latest (20180425) firmware for my
haswell. There _is_ a new version there (0x24, dated from January)
but that is NOT enough, that file still says 'Vulnerable'.
On AMD, new firmware is apparently not needed.
With linux-4.17.0 on my ryzen that file contains
Mitigation: Speculative Store Bypass disabled via prctl and seccomp
but that actually means soemthing like "only a program which uses
seccomp, for the new prctl for this, will be mitigated".
I found the documentation hard to grok (too many negatives), but
apparently adding a bootarg of spec_store_bypass_disable=on does
turn it on all the time on suitable machines.
The reason it is not normally enabled all the time is that it will
apparently slow things down a lot. I hope to do _some_ tests with
it set, but for the moemnt I don't have time.
ĸen
--
Keyboard not found, Press F1 to continue
--
http://lists.linuxfromscratch.org/listinfo/blfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
