Re: retpoline-enabled GCC build for jessie

2018-02-22 Thread Moritz Mühlenhoff 
Moin,

Holger Levsen  schrieb:
> I have a stupid/uninformed question: is this gcc only useful for
> rebuilding the kernel or would it "in theory" (and practice) be better
> to rebuild everything with it? (of course the latter is probably not really
> practical for Debian, but others could do it more easily.)

The immediate specific need for the GCC update in oldstable and stable
is the Linux kernel, there are no plans to rebuild other packages in
released distributions at this point.

We might add this to the dpkg-buildflags default flags for buster
as a generic hardening measure, but that requires additional
work/consideration/discussion. Fortunately the buster freeze is
still quite some time away, so we're in the comfortable position
to evaluate without time pressure.

Cheers,
Moritz

Re: retpoline-enabled GCC build for jessie

2018-02-19 Thread Davide Prina 

On 18/02/2018 10:44, who.are.you wrote:


On Sat, Feb 17, 2018 at 07:03:00PM +, Holger Levsen wrote:



is this gcc only useful for
rebuilding the kernel or would it "in theory" (and practice) be better
to rebuild everything with it? (of course the latter is probably not really
practical for Debian, but others could do it more easily.)



Does this mean re-installing Debain is the best way to mitigate Spectre?
If yes, would re-installing Debian from now (and onwards) be a good time to 
avoid Spectre vulnerabilities?


If a Debian package is recompiled then this package is a new version of 
the previous package and you get it as a Debian update. So if it is 
better to rebuild all with retpoline-enabled I think that someone in 
Debian will recompile all the packages and you get they as Debian 
update... and so you don't have to re-install Debian (or if you 
reinstall Debian you get the same system you have already... without 
retpoline-enabled, because I don't have see any package recompiled with 
that, for now).


Ciao
Davide

PS: I am I

Re: retpoline-enabled GCC build for jessie

2018-02-18 Thread who . are . you 

Does this mean re-installing Debain is the best way to mitigate Spectre?
If yes, would re-installing Debian from now (and onwards) be a good time to 
avoid Spectre vulnerabilities?


On Sat, Feb 17, 2018 at 07:03:00PM +, Holger Levsen wrote:
> On Sat, Feb 17, 2018 at 02:35:22PM +0100, Moritz Mühlenhoff wrote:
> > The update for gcc-4.9 has just been released.
> > Test packages for gcc-6/stretch are now available at 
> > https://people.debian.org/~jmm/gcc6/
>  
> Thanks for your work on this, Moritz.
> 
> I have a stupid/uninformed question: is this gcc only useful for
> rebuilding the kernel or would it "in theory" (and practice) be better
> to rebuild everything with it? (of course the latter is probably not really
> practical for Debian, but others could do it more easily.)
> 
> 
> -- 
> cheers,
>   Holger

Re: retpoline-enabled GCC build for jessie

2018-02-17 Thread Holger Levsen 
On Sat, Feb 17, 2018 at 02:35:22PM +0100, Moritz Mühlenhoff wrote:
> The update for gcc-4.9 has just been released.
> Test packages for gcc-6/stretch are now available at 
> https://people.debian.org/~jmm/gcc6/
 
Thanks for your work on this, Moritz.

I have a stupid/uninformed question: is this gcc only useful for
rebuilding the kernel or would it "in theory" (and practice) be better
to rebuild everything with it? (of course the latter is probably not really
practical for Debian, but others could do it more easily.)


-- 
cheers,
Holger


signature.asc
Description: PGP signature

Re: retpoline-enabled GCC build for jessie

2018-02-17 Thread Moritz Mühlenhoff 
Fabian Grünbichler wrote:
> > > (and is the Stretch / gcc-6 update planned in the same
> > > time frame as well?)
> > 
> > Yes, an update for GCC 6 is also in the works, but will probably a few days
> > after the jessie update.
> 
> any special reason for that? (out of curiosity, since we had also
> already prepared a gcc-6 package based on Stretch 6.3.0-18 using the
> same approach which seems to work fine so far..)

The update for gcc-4.9 has just been released.

Test packages for gcc-6/stretch are now available at 
https://people.debian.org/~jmm/gcc6/
Additional test feedback also very welcome.

Cheers,
Moritz

Re: retpoline-enabled GCC build for jessie

2018-02-15 Thread Moritz Mühlenhoff 
On Thu, Feb 15, 2018 at 02:55:02PM +0100, Fabian Grünbichler wrote:
> > > (and is the Stretch / gcc-6 update planned in the same
> > > time frame as well?)
> > 
> > Yes, an update for GCC 6 is also in the works, but will probably a few days
> > after the jessie update.
> 
> any special reason for that? (out of curiosity, since we had also
> already prepared a gcc-6 package based on Stretch 6.3.0-18 using the
> same approach which seems to work fine so far..)

Just a lack of time, I've prepared a build, but want to run more tests
before I'll make it public for further testing (probably during the
weekend).

> > > anyway, will report back with some test results (with a custom 4.4-based
> > > kernel) tomorrow.
> 
> no issues cropped up during intial internal testing, so we'll probably
> publish a public test kernel tomorrow and wait for more feedback.

OK, thanks.

Cheers,
Moritz

Re: retpoline-enabled GCC build for jessie

2018-02-15 Thread Fabian Grünbichler 
On Wed, Feb 14, 2018 at 10:55:27PM +0100, Moritz Mühlenhoff wrote:
> On Wed, Feb 14, 2018 at 03:26:31PM +0100, Fabian Grünbichler wrote:
> > is there a debdiff / source available as well?
> 
> Above URL includes the source, but no debdiff (you can simply debdiff against
> the latest jessie package).

seems I overlooked that on the first glance. functionally identical to our
parallel work, which is probably a good sign.

> 
> > or is it "just" Jessie's current state plus the 9 patches from hjl's 4.9
> > backport branch?
> 
> hjl's patches and some modifications dropping the texinfo which are stripped
> for DFSGish reasons.

and also don't apply as-is anyway ;)

> 
> > (and is the Stretch / gcc-6 update planned in the same
> > time frame as well?)
> 
> Yes, an update for GCC 6 is also in the works, but will probably a few days
> after the jessie update.

any special reason for that? (out of curiosity, since we had also
already prepared a gcc-6 package based on Stretch 6.3.0-18 using the
same approach which seems to work fine so far..)

> 
> > anyway, will report back with some test results (with a custom 4.4-based
> > kernel) tomorrow.

no issues cropped up during intial internal testing, so we'll probably
publish a public test kernel tomorrow and wait for more feedback.

Re: retpoline-enabled GCC build for jessie

2018-02-14 Thread Moritz Mühlenhoff 
On Wed, Feb 14, 2018 at 03:26:31PM +0100, Fabian Grünbichler wrote:
> is there a debdiff / source available as well?

Above URL includes the source, but no debdiff (you can simply debdiff against
the latest jessie package).

> or is it "just" Jessie's current state plus the 9 patches from hjl's 4.9
> backport branch?

hjl's patches and some modifications dropping the texinfo which are stripped
for DFSGish reasons.

> (and is the Stretch / gcc-6 update planned in the same
> time frame as well?)

Yes, an update for GCC 6 is also in the works, but will probably a few days
after the jessie update.

> anyway, will report back with some test results (with a custom 4.4-based
> kernel) tomorrow.

Thanks.

Cheers,
Moritz

Re: retpoline-enabled GCC build for jessie

2018-02-14 Thread Fabian Grünbichler 
> Hi,
> I've created a GCC 4.9 package for jessie with backported support for
> -mindirect-branch (as needed to build kernels with retpoline support).
> packages are available at https://people.debian.org/~jmm/gcc/. I've run some
> tests, but would appreciate additional testing feedback; the update is planned
> to be released end of week/weekend.
> 
> Cheers,
>Moritz

is there a debdiff / source available as well?

or is it "just" Jessie's current state plus the 9 patches from hjl's 4.9
backport branch? (and is the Stretch / gcc-6 update planned in the same
time frame as well?)

anyway, will report back with some test results (with a custom 4.4-based
kernel) tomorrow.