[Kernel-packages] [Bug 2046440] [NEW] Enforce RETPOLINE and SLS mitigrations

Thu, 14 Dec 2023 04:05:37 -0800 

Public bug reported:

Enforce RETPOLINE and SLS mitigrations

Currently retpoline ABI checks in the kernel build do nothing. They
produce no output, as if everything is fine. And if one manually hacks
makefile to "forget" retpoline & SLS mitigration flags, objtool prints
lots of warnings, retpoline ABI check passes and the build is succesful.
Yet totally vulnerable.

Proposal is to enforce objtool warnings as fatal errors for RETPOLINE
and SLS, as tested to be passed on mantic for both kernel and all
available dkms. And otherwise rip out custom Ubuntu retpoline abi
checks.

I have prepared this for noble v6.7 kernel, once this lands, I will make
appropriate backports for earlier series as we likely want usable
retpoline build time enforcement in earlier series too where possible.

** Affects: linux (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2046440

Title:
  Enforce RETPOLINE and SLS mitigrations

Status in linux package in Ubuntu:
  New

Bug description:
  Enforce RETPOLINE and SLS mitigrations

  Currently retpoline ABI checks in the kernel build do nothing. They
  produce no output, as if everything is fine. And if one manually hacks
  makefile to "forget" retpoline & SLS mitigration flags, objtool prints
  lots of warnings, retpoline ABI check passes and the build is
  succesful. Yet totally vulnerable.

  Proposal is to enforce objtool warnings as fatal errors for RETPOLINE
  and SLS, as tested to be passed on mantic for both kernel and all
  available dkms. And otherwise rip out custom Ubuntu retpoline abi
  checks.

  I have prepared this for noble v6.7 kernel, once this lands, I will
  make appropriate backports for earlier series as we likely want usable
  retpoline build time enforcement in earlier series too where possible.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2046440/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to