If anybody wants to add full retpoline mitigation (against Spectre
v2) to an older system, the following works on x86_64 (I no longer
have i686 systems to test on).

I have tested this on my oldest available system (LFS-7.6, using
gcc-4.9.1 and which had used a 3.18 kernel) to prove the approach.
That system will never be used to connect to anything external (too
many vulnerabilities, in particular its version of openssl is no
longer maintained), it  is only there in case I want to see if such
an old system can build current LFS.

So, if it works there it will also work on newer systems!

What I do is build a minimal gcc-7.3 in /opt/kgcc and then use that
to compile a supported kernel.  On that oldest system I used the
latest 4.4 kernel, on a less old system I have used the latest 4.9
kernel, and for more recent systems I either use the latest 4.14 or
(recent test systems) 4.5.0.

If anybody used the HJL gcc patches I posted at the start of the
month, using gcc-7.3 provides no benefit.  But for everybody else,
it will help reduce the attack surface for Spectre v2.

1. gcc-7.3

I based my build on what is in BLFS for gcc-7.2, with the following

1.1 In the configure I changed the prefix and languages to
 --prefix=/opt/kgc --enable-languages=c
and added

Some of the other things can probably be turned off (compare LFS gcc
pass 2, e.g. libssp), but this is minimal enough for my purpose.

1.2 Do NOT run the tests - the proof of the pudding is in the
eating, either it will compile your kernel successfully, or it

2. The kernel

2.1 Fix up the config (normally, make oldconfig - I keep my configs
in the kernel, in /proc/config.gz so I can initialise .config for
this).  Ensure that retpoline support is selected (it defaults to Y,
like PTI).

2.2 If you have configured this source tree before (e.g. for an
earlier point release of the same minor version), make clean so that
the build-system files where compiler lack of support for retpoline
was recorded will be cleared out.

2.3 build the kernel using
 PATH=/opt/kgcc/bin:$PATH make -jN (N for numbner of cores).

2.4 install modules, if used, and the kernel, add it to grub.cfg so
that you can revert to an older kernel if problems.

3. Reboot.

You should be able to see the result by running
 cat /sys/devices/system/cpu/vulnerabilities/spectre_v2

Assuming it worked, run your usual acceptance tests to check that
everything you rely on still works.

That just leaves Spectre v1 to be addressed.

Truth, in front of her huge walk-in wardrobe, selected black leather
boots with stiletto heels for such a barefaced truth.
                                     - Unseen Academicals
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Do not top post on this list.

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?


Reply via email to