On 18/01/18 20:57, Phil Perry wrote:
On 10/01/18 20:36, Phil Perry wrote:
On 10/01/18 20:06, Phil Perry wrote:
A vulnerability checker script:
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: YES
* Kernel support for IBRS: YES
* IBRS enabled for Kernel space: YES
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: NOT VULNERABLE (IBRS mitigates the vulnerability)
Putting it here so we don't need to keep repeating ourselves:
The latest elrepo kernels are now compiled with retpoline options enabled.
At present, RHEL does NOT contain a retpoline-aware compiler so
mitigation 2 above is not an option at present.
As I understand, the retpoline patches have made it into the gcc-8
development branch earlier this week, and were backported to the gcc-7
branch a couple days ago. RHEL7 currently ships with gcc-4.8.5 and RHEL6
ships gcc-4.4.7. AFAIK, these are unsupported upstream so it will be up
to Red Hat to backport these patches to gcc, if that is even feasible.
Given that RH have patched their distro kernels for IBRS, I don't even
know if they are, or intend to work on retpoline.
At this point in time, if mitigation of Spectre variant 2 is important
to you, running the distro kernel with a Spectre-enabled firmware update
is the best option.
Red Hat have just released updated kernel and gcc packages for RHEL7.4
which are retpoline enabled.
Now we have a retpoline-enabled compiler, we can look at using it to
build the latest elrepo kernels for el7.
I don't have any information regarding retpoline on el6 at present.
elrepo mailing list