I've noticed that Xen has updated the XSA-254 advisory with Spectre v2
mitigations for Xen 4.6-4.10. I know we'd have to figure out how to
backport Retpoline compatible compilers to these various build
environments in order to get the full protection (Debian has backported
that support to the gcc versions in jessie and stretch so that implies
that at least the backported gcc patches are now available), but is
there any chance that these Xen patches will be incorporated into the
Qubes versions soon?

https://xenbits.xen.org/xsa/advisory-254.html

And a side question about qubes-builder: Does it build in a chroot? I'd
like to attempt to backport a build environment that has a
retpoline-enabled version of gcc, and I'm wondering if I could just
bypass qubes-builder entirely and run make rpms-dom0 in a build
environment where I've manually upgraded the gcc version to be
Retpoline-compatible in an FC23 or FC25 template like I do when I
compile my own kernels.

Also: Are there any dangers in compiling the Xen rpms in an FC25
template and then installing them in R3.2 dom0's FC23 environment? Or
should I just build it in an FC23 environment to be safe? I haven't
encountered any issues in doing that with kernels (although I don't
compile third-party out-of-tree kernel drivers either), but I don't know
what Xen would link against during compilation to know if that's safe to
do or not.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/p6q4cv%24etf%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

Reply via email to