On Tue, Mar 6, 2018 at 4:48 PM, Phil Perry <p...@elrepo.org> wrote:
> On 18/01/18 20:57, Phil Perry wrote:
>>
>> On 10/01/18 20:36, Phil Perry wrote:
>>>
>>> On 10/01/18 20:06, Phil Perry wrote:
>>>>
>>>>
>>>>
>>>> A vulnerability checker script:
>>>>
>>>>
>>>> https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh
>>>>
>>
>> <snip>
>>
>>>
>>> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
>>> * Mitigation 1
>>> *   Hardware (CPU microcode) support for mitigation:  YES
>>> *   Kernel support for IBRS:  YES
>>> *   IBRS enabled for Kernel space:  YES
>>> *   IBRS enabled for User space:  NO
>>> * Mitigation 2
>>> *   Kernel compiled with retpoline option:  NO
>>> *   Kernel compiled with a retpoline-aware compiler:  NO
>>>  > STATUS:  NOT VULNERABLE  (IBRS mitigates the vulnerability)
>>>
>>
>> Putting it here so we don't need to keep repeating ourselves:
>>
>> The latest elrepo kernels are now compiled with retpoline options enabled.
>>
>> At present, RHEL does NOT contain a retpoline-aware compiler so mitigation
>> 2 above is not an option at present.
>>
>> As I understand, the retpoline patches have made it into the gcc-8
>> development branch earlier this week, and were backported to the gcc-7
>> branch a couple days ago. RHEL7 currently ships with gcc-4.8.5 and RHEL6
>> ships gcc-4.4.7. AFAIK, these are unsupported upstream so it will be up to
>> Red Hat to backport these patches to gcc, if that is even feasible. Given
>> that RH have patched their distro kernels for IBRS, I don't even know if
>> they are, or intend to work on retpoline.
>>
>> At this point in time, if mitigation of Spectre variant 2 is important to
>> you, running the distro kernel with a Spectre-enabled firmware update is the
>> best option.
>>
>
> Red Hat have just released updated kernel and gcc packages for RHEL7.4 which
> are retpoline enabled.
>
> Now we have a retpoline-enabled compiler, we can look at using it to build
> the latest elrepo kernels for el7.
>
> I don't have any information regarding retpoline on el6 at present.


Would this, then, be an opportune time to revisit bumping the LTS
kernel from 4.4 to 4.14 ?
_______________________________________________
elrepo mailing list
elrepo@lists.elrepo.org
http://lists.elrepo.org/mailman/listinfo/elrepo

Reply via email to