On Wednesday, 31 January 2018 12:20:51 GMT Nikos Chantziaras wrote:
> On 31/01/18 14:04, Mick wrote:
> > Just to dilute my confusion on what I should do to keep desktops safe(r),
> > would someone please clarify:
> > 
> > Is it necessary to keyword gcc 7.3 + kernel 4.15 and emerge kernel 4.15
> > with gcc 7.3, or wait until these versions have been stabilised in the
> > tree?
> > 
> > What gcc version shall I use to update @world from then on?
> > 
> > PS. Some desktops are Intel, some are AMD and I also have 3-4 devices with
> > ARM in them ...
> At the moment, you do need GCC 7.3. However, there is talk about these
> new flags being ported to GCC 6 and possibly even older versions.
> As for the kernel, you don't need 4.15. 4.14 is the latest LTS kernel,
> and it has the needed patches. I think 4.9 (the previous LTS kernel) has
> them too.

Kernel 4.14.15 has the latest patches, so I stayed with the 4.14 series.

> Currently, once you enable CONFIG_RETPOLINE in the kernel config and
> rebuild with GCC 7.3, you should have all currently available kernel
> mitigations. Which currently are:
>    $ cat /sys/devices/system/cpu/vulnerabilities/*
>    Mitigation: PTI
>    Vulnerable
>    Mitigation: Full generic retpoline

I'm good here:

$ dmesg | grep -i Spectre 
[    0.011822] Spectre V2 mitigation: Mitigation: Full generic retpoline

although this post indicates Skylake may still be vulnerable:


Anyway, as I understand it, we'll have to wait for gcc-8.1 in March, which 
utilises 'gcc -mindirect-branch=thunk-extern' to get the benefit of the 
retpoline kernel patch.

> However, improvements to these mitigations will from now on happen for
> kernel 4.16 first and backported later. 4.16 for example got mitigations
> for ARM. It's how kernel upstream works; new stuff is done in the
> current development version, and backported later to still supported
> versions.

Spectre_v1 still shown as vulnerable on both Intel and AMD.  Is there a fix 
planned for this?


Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to