On Wednesday, 31 January 2018 12:20:51 GMT Nikos Chantziaras wrote: > On 31/01/18 14:04, Mick wrote: > > Just to dilute my confusion on what I should do to keep desktops safe(r), > > would someone please clarify: > > > > Is it necessary to keyword gcc 7.3 + kernel 4.15 and emerge kernel 4.15 > > with gcc 7.3, or wait until these versions have been stabilised in the > > tree? > > > > What gcc version shall I use to update @world from then on? > > > > PS. Some desktops are Intel, some are AMD and I also have 3-4 devices with > > ARM in them ... > > At the moment, you do need GCC 7.3. However, there is talk about these > new flags being ported to GCC 6 and possibly even older versions. > > As for the kernel, you don't need 4.15. 4.14 is the latest LTS kernel, > and it has the needed patches. I think 4.9 (the previous LTS kernel) has > them too.
Kernel 4.14.15 has the latest patches, so I stayed with the 4.14 series. > Currently, once you enable CONFIG_RETPOLINE in the kernel config and > rebuild with GCC 7.3, you should have all currently available kernel > mitigations. Which currently are: > > $ cat /sys/devices/system/cpu/vulnerabilities/* > Mitigation: PTI > Vulnerable > Mitigation: Full generic retpoline I'm good here: $ dmesg | grep -i Spectre [ 0.011822] Spectre V2 mitigation: Mitigation: Full generic retpoline although this post indicates Skylake may still be vulnerable: https://lkml.org/lkml/2018/1/4/724 Anyway, as I understand it, we'll have to wait for gcc-8.1 in March, which utilises 'gcc -mindirect-branch=thunk-extern' to get the benefit of the retpoline kernel patch. > However, improvements to these mitigations will from now on happen for > kernel 4.16 first and backported later. 4.16 for example got mitigations > for ARM. It's how kernel upstream works; new stuff is done in the > current development version, and backported later to still supported > versions. Spectre_v1 still shown as vulnerable on both Intel and AMD. Is there a fix planned for this? -- Regards, Mick
Description: This is a digitally signed message part.