On Mon, Jan 29, 2018 at 4:19 AM, Nikos Chantziaras <[email protected]> wrote: > For this to work, you need to enable CONFIG_RETPOLINE in the kernel: > > Processor type and features > [*] Avoid speculative indirect branches in kernel >
Note that in general upstream recommends enabling these protections even if your CPU isn't vulnerable. In general the kernel detects at boot what is needed and they've done some work to try to use the least invasive solution needed for your particular CPU. Then, if you later re-use that config on a vulnerable CPU without thinking about it (perhaps years from now) you won't be left unprotected. The only really expensive mitigation is for Meltdown (PTI) and it is disabled automatically on AMD CPUs. The Retpolines are also adjusted by CPU type. There is talk of allowing KPTI to be disabled per-process in the future, which would be the best of both worlds. If you had a database server you could disable KPTI on the database server process itself (which does effectively give it root access, though only if exploited - it isn't going to accidentally mess things up), but still leave the overall system protected against random processes escalating privs. If you have a dedicated database server then probably the only process you truly worry about is the database server itself, so if something is running malicious code on this process you've already lost whether it has root access or not. Though, I would probably also point out that I would use care applying this to containers and not just to VMs, because the vulnerability would let you cross container boundaries, but not VMs (assuming you haven't enabled similar exceptions to PTI in the hypervisor). -- Rich
