On Tue, Mar 6, 2018 at 4:48 PM, Phil Perry <p...@elrepo.org> wrote: > On 18/01/18 20:57, Phil Perry wrote: >> >> On 10/01/18 20:36, Phil Perry wrote: >>> >>> On 10/01/18 20:06, Phil Perry wrote: >>>> >>>> >>>> >>>> A vulnerability checker script: >>>> >>>> >>>> https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh >>>> >> >> <snip> >> >>> >>> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2' >>> * Mitigation 1 >>> * Hardware (CPU microcode) support for mitigation: YES >>> * Kernel support for IBRS: YES >>> * IBRS enabled for Kernel space: YES >>> * IBRS enabled for User space: NO >>> * Mitigation 2 >>> * Kernel compiled with retpoline option: NO >>> * Kernel compiled with a retpoline-aware compiler: NO >>> > STATUS: NOT VULNERABLE (IBRS mitigates the vulnerability) >>> >> >> Putting it here so we don't need to keep repeating ourselves: >> >> The latest elrepo kernels are now compiled with retpoline options enabled. >> >> At present, RHEL does NOT contain a retpoline-aware compiler so mitigation >> 2 above is not an option at present. >> >> As I understand, the retpoline patches have made it into the gcc-8 >> development branch earlier this week, and were backported to the gcc-7 >> branch a couple days ago. RHEL7 currently ships with gcc-4.8.5 and RHEL6 >> ships gcc-4.4.7. AFAIK, these are unsupported upstream so it will be up to >> Red Hat to backport these patches to gcc, if that is even feasible. Given >> that RH have patched their distro kernels for IBRS, I don't even know if >> they are, or intend to work on retpoline. >> >> At this point in time, if mitigation of Spectre variant 2 is important to >> you, running the distro kernel with a Spectre-enabled firmware update is the >> best option. >> > > Red Hat have just released updated kernel and gcc packages for RHEL7.4 which > are retpoline enabled. > > Now we have a retpoline-enabled compiler, we can look at using it to build > the latest elrepo kernels for el7. > > I don't have any information regarding retpoline on el6 at present.
Would this, then, be an opportune time to revisit bumping the LTS kernel from 4.4 to 4.14 ? _______________________________________________ elrepo mailing list email@example.com http://lists.elrepo.org/mailman/listinfo/elrepo