[Kernel-packages] [Bug 1790457] Re: kernel: improve spectre mitigation
** Tags added: cscc -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1790457 Title: kernel: improve spectre mitigation Status in Ubuntu on IBM z Systems: Fix Released Status in linux package in Ubuntu: Fix Released Status in qemu package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Released Status in qemu source package in Bionic: Fix Released Bug description: [Impact] * eToken Facility will help to mitigate spectre. With it in place use of expolines can be ommitted. Kernel https://github.com/torvalds/linux/commit/aeaf7002a76c8da60c0f503badcbddc07650678c KVM to pass it to guests: https://patchwork.kernel.org/patch/10532197/ * Backport the changes to Qemu/Kernel so that the impact of the spectre fixes can be minimized. [Test Case] * First of all you need HW with the facility available. For HW without nothing should change at all, well maybe a message that it wasn't detected when the new kernel boots. * When running on HW with the Facility and a fixed kernel then the facility should be reported as being available. * With a fixed Kernel AND Qemu this facility should be passed to the guest so that it can benefit from the improvements as well. * Due to a lack of such HW IBM volunteered to do the verification on this bug. [Regression Potential] * Detection and passing of a Facility is nothing new, s390x has plenty of them and this is in some sense "just one more" so regressions should be minimal. The one thing we thought about was how an enabled Kernel/qemu would behave on systems that do not have the facility, but in all tests that was correctly detected and continues to use expoline. [Other Info] * n/a --- Description will follow To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1790457/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1790457] Re: kernel: improve spectre mitigation
This bug was fixed in the package qemu - 1:2.11+dfsg-1ubuntu7.6 --- qemu (1:2.11+dfsg-1ubuntu7.6) bionic; urgency=medium [ Christian Ehrhardt ] * Add cpu model for z14 ZR1 (LP: #1780773) * d/p/ubuntu/lp-1789551-seccomp-set-the-seccomp-filter-to-all-threads.patch: ensure that the seccomp blacklist is applied to all threads (LP: #1789551) - CVE-2018-15746 * improve s390x spectre mitigation with etoken facility (LP: #1790457) - debian/patches/ubuntu/lp-1790457-s390x-kvm-add-etoken-facility.patch - debian/patches/ubuntu/lp-1790457-partial-s390x-linux-headers-update.patch [ Phillip Susi ] * d/p/ubuntu/lp-1787267-fix-en_us-vnc-pipe.patch: Fix pipe, greater than and less than keys over vnc when using en_us kemaps (LP: #1787267). -- Christian Ehrhardt Wed, 29 Aug 2018 11:46:37 +0200 ** Changed in: qemu (Ubuntu Bionic) Status: Fix Committed => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-15746 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1790457 Title: kernel: improve spectre mitigation Status in Ubuntu on IBM z Systems: Fix Committed Status in linux package in Ubuntu: Fix Released Status in qemu package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Released Status in qemu source package in Bionic: Fix Released Bug description: [Impact] * eToken Facility will help to mitigate spectre. With it in place use of expolines can be ommitted. Kernel https://github.com/torvalds/linux/commit/aeaf7002a76c8da60c0f503badcbddc07650678c KVM to pass it to guests: https://patchwork.kernel.org/patch/10532197/ * Backport the changes to Qemu/Kernel so that the impact of the spectre fixes can be minimized. [Test Case] * First of all you need HW with the facility available. For HW without nothing should change at all, well maybe a message that it wasn't detected when the new kernel boots. * When running on HW with the Facility and a fixed kernel then the facility should be reported as being available. * With a fixed Kernel AND Qemu this facility should be passed to the guest so that it can benefit from the improvements as well. * Due to a lack of such HW IBM volunteered to do the verification on this bug. [Regression Potential] * Detection and passing of a Facility is nothing new, s390x has plenty of them and this is in some sense "just one more" so regressions should be minimal. The one thing we thought about was how an enabled Kernel/qemu would behave on systems that do not have the facility, but in all tests that was correctly detected and continues to use expoline. [Other Info] * n/a --- Description will follow To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1790457/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1790457] Re: kernel: improve spectre mitigation
** Changed in: ubuntu-z-systems Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1790457 Title: kernel: improve spectre mitigation Status in Ubuntu on IBM z Systems: Fix Released Status in linux package in Ubuntu: Fix Released Status in qemu package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Released Status in qemu source package in Bionic: Fix Released Bug description: [Impact] * eToken Facility will help to mitigate spectre. With it in place use of expolines can be ommitted. Kernel https://github.com/torvalds/linux/commit/aeaf7002a76c8da60c0f503badcbddc07650678c KVM to pass it to guests: https://patchwork.kernel.org/patch/10532197/ * Backport the changes to Qemu/Kernel so that the impact of the spectre fixes can be minimized. [Test Case] * First of all you need HW with the facility available. For HW without nothing should change at all, well maybe a message that it wasn't detected when the new kernel boots. * When running on HW with the Facility and a fixed kernel then the facility should be reported as being available. * With a fixed Kernel AND Qemu this facility should be passed to the guest so that it can benefit from the improvements as well. * Due to a lack of such HW IBM volunteered to do the verification on this bug. [Regression Potential] * Detection and passing of a Facility is nothing new, s390x has plenty of them and this is in some sense "just one more" so regressions should be minimal. The one thing we thought about was how an enabled Kernel/qemu would behave on systems that do not have the facility, but in all tests that was correctly detected and continues to use expoline. [Other Info] * n/a --- Description will follow To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1790457/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1790457] Re: kernel: improve spectre mitigation
Since cosmic contains kernel 4.18.0.8.9 and git says that 's390: detect etoken facility' is included: $ git log --oneline | grep "s390: detect etoken facility" edb9bc2 s390: detect etoken facility $ git tag --contains edb9bc2 Ubuntu-4.18.0-8.9 Ubuntu-4.18.0-9.10 Ubuntu-raspi2-4.18.0-1004.4 Ubuntu-raspi2-4.18.0-1004.5 Ubuntu-raspi2-4.18.0-1004.6 I'm marking cosmic ["linux (Ubuntu)"] as Fix Released, too. ** Changed in: linux (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1790457 Title: kernel: improve spectre mitigation Status in Ubuntu on IBM z Systems: Fix Committed Status in linux package in Ubuntu: Fix Released Status in qemu package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Released Status in qemu source package in Bionic: Fix Committed Bug description: [Impact] * eToken Facility will help to mitigate spectre. With it in place use of expolines can be ommitted. Kernel https://github.com/torvalds/linux/commit/aeaf7002a76c8da60c0f503badcbddc07650678c KVM to pass it to guests: https://patchwork.kernel.org/patch/10532197/ * Backport the changes to Qemu/Kernel so that the impact of the spectre fixes can be minimized. [Test Case] * First of all you need HW with the facility available. For HW without nothing should change at all, well maybe a message that it wasn't detected when the new kernel boots. * When running on HW with the Facility and a fixed kernel then the facility should be reported as being available. * With a fixed Kernel AND Qemu this facility should be passed to the guest so that it can benefit from the improvements as well. * Due to a lack of such HW IBM volunteered to do the verification on this bug. [Regression Potential] * Detection and passing of a Facility is nothing new, s390x has plenty of them and this is in some sense "just one more" so regressions should be minimal. The one thing we thought about was how an enabled Kernel/qemu would behave on systems that do not have the facility, but in all tests that was correctly detected and continues to use expoline. [Other Info] * n/a --- Description will follow To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1790457/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1790457] Re: kernel: improve spectre mitigation
And just for the records, the kernel part already landed in xenial, too: xenial updates kernel today: 4.4.0.137. $ git log --oneline | grep "s390: detect etoken facility" c32821c s390: detect etoken facility $ git tag --contains c32821c Ubuntu-4.4.0-136.162 Ubuntu-4.4.0-137.163 Ubuntu-4.4.0-138.164 Ubuntu-raspi2-4.4.0-1099.107 Ubuntu-snapdragon-4.4.0-1103.108 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1790457 Title: kernel: improve spectre mitigation Status in Ubuntu on IBM z Systems: Fix Committed Status in linux package in Ubuntu: Fix Released Status in qemu package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Released Status in qemu source package in Bionic: Fix Committed Bug description: [Impact] * eToken Facility will help to mitigate spectre. With it in place use of expolines can be ommitted. Kernel https://github.com/torvalds/linux/commit/aeaf7002a76c8da60c0f503badcbddc07650678c KVM to pass it to guests: https://patchwork.kernel.org/patch/10532197/ * Backport the changes to Qemu/Kernel so that the impact of the spectre fixes can be minimized. [Test Case] * First of all you need HW with the facility available. For HW without nothing should change at all, well maybe a message that it wasn't detected when the new kernel boots. * When running on HW with the Facility and a fixed kernel then the facility should be reported as being available. * With a fixed Kernel AND Qemu this facility should be passed to the guest so that it can benefit from the improvements as well. * Due to a lack of such HW IBM volunteered to do the verification on this bug. [Regression Potential] * Detection and passing of a Facility is nothing new, s390x has plenty of them and this is in some sense "just one more" so regressions should be minimal. The one thing we thought about was how an enabled Kernel/qemu would behave on systems that do not have the facility, but in all tests that was correctly detected and continues to use expoline. [Other Info] * n/a --- Description will follow To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1790457/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1790457] Re: kernel: improve spectre mitigation
Since bionic-updates containes kernel 4.15.0-36. and git says that 's390: detect etoken facility' is included: $ git log --oneline | grep "s390: detect etoken facility" cffc6b1 s390: detect etoken facility $ git tag --contains cffc6b1 Ubuntu-4.15.0-35.38 Ubuntu-4.15.0-36.39 Ubuntu-4.15.0-37.40 Ubuntu-raspi2-4.15.0-1025.27 I'm marking bionic as Fix Released. ** Changed in: linux (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1790457 Title: kernel: improve spectre mitigation Status in Ubuntu on IBM z Systems: Fix Committed Status in linux package in Ubuntu: Fix Committed Status in qemu package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Released Status in qemu source package in Bionic: Fix Committed Bug description: [Impact] * eToken Facility will help to mitigate spectre. With it in place use of expolines can be ommitted. Kernel https://github.com/torvalds/linux/commit/aeaf7002a76c8da60c0f503badcbddc07650678c KVM to pass it to guests: https://patchwork.kernel.org/patch/10532197/ * Backport the changes to Qemu/Kernel so that the impact of the spectre fixes can be minimized. [Test Case] * First of all you need HW with the facility available. For HW without nothing should change at all, well maybe a message that it wasn't detected when the new kernel boots. * When running on HW with the Facility and a fixed kernel then the facility should be reported as being available. * With a fixed Kernel AND Qemu this facility should be passed to the guest so that it can benefit from the improvements as well. * Due to a lack of such HW IBM volunteered to do the verification on this bug. [Regression Potential] * Detection and passing of a Facility is nothing new, s390x has plenty of them and this is in some sense "just one more" so regressions should be minimal. The one thing we thought about was how an enabled Kernel/qemu would behave on systems that do not have the facility, but in all tests that was correctly detected and continues to use expoline. [Other Info] * n/a --- Description will follow To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1790457/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1790457] Re: kernel: improve spectre mitigation
Thanks for testing, setting tags accordingly. ** Tags removed: verification-needed verification-needed-bionic ** Tags added: verification-done verification-done-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1790457 Title: kernel: improve spectre mitigation Status in Ubuntu on IBM z Systems: Fix Committed Status in linux package in Ubuntu: Fix Committed Status in qemu package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Committed Status in qemu source package in Bionic: Fix Committed Bug description: [Impact] * eToken Facility will help to mitigate spectre. With it in place use of expolines can be ommitted. Kernel https://github.com/torvalds/linux/commit/aeaf7002a76c8da60c0f503badcbddc07650678c KVM to pass it to guests: https://patchwork.kernel.org/patch/10532197/ * Backport the changes to Qemu/Kernel so that the impact of the spectre fixes can be minimized. [Test Case] * First of all you need HW with the facility available. For HW without nothing should change at all, well maybe a message that it wasn't detected when the new kernel boots. * When running on HW with the Facility and a fixed kernel then the facility should be reported as being available. * With a fixed Kernel AND Qemu this facility should be passed to the guest so that it can benefit from the improvements as well. * Due to a lack of such HW IBM volunteered to do the verification on this bug. [Regression Potential] * Detection and passing of a Facility is nothing new, s390x has plenty of them and this is in some sense "just one more" so regressions should be minimal. The one thing we thought about was how an enabled Kernel/qemu would behave on systems that do not have the facility, but in all tests that was correctly detected and continues to use expoline. [Other Info] * n/a --- Description will follow To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1790457/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1790457] Re: kernel: improve spectre mitigation
To be clear - this relies on special HW to be present, so I can't validate it. IBM was so kind to verify the PPAs in advance, it would be great if you could do so again with the bits in proposed. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1790457 Title: kernel: improve spectre mitigation Status in Ubuntu on IBM z Systems: Fix Committed Status in linux package in Ubuntu: Fix Committed Status in qemu package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Committed Status in qemu source package in Bionic: Fix Committed Bug description: [Impact] * eToken Facility will help to mitigate spectre. With it in place use of expolines can be ommitted. Kernel https://github.com/torvalds/linux/commit/aeaf7002a76c8da60c0f503badcbddc07650678c KVM to pass it to guests: https://patchwork.kernel.org/patch/10532197/ * Backport the changes to Qemu/Kernel so that the impact of the spectre fixes can be minimized. [Test Case] * First of all you need HW with the facility available. For HW without nothing should change at all, well maybe a message that it wasn't detected when the new kernel boots. * When running on HW with the Facility and a fixed kernel then the facility should be reported as being available. * With a fixed Kernel AND Qemu this facility should be passed to the guest so that it can benefit from the improvements as well. * Due to a lack of such HW IBM volunteered to do the verification on this bug. [Regression Potential] * Detection and passing of a Facility is nothing new, s390x has plenty of them and this is in some sense "just one more" so regressions should be minimal. The one thing we thought about was how an enabled Kernel/qemu would behave on systems that do not have the facility, but in all tests that was correctly detected and continues to use expoline. [Other Info] * n/a --- Description will follow To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1790457/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1790457] Re: kernel: improve spectre mitigation
Hello bugproxy, or anyone else affected, Accepted qemu into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/qemu/1:2.11+dfsg- 1ubuntu7.6 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: qemu (Ubuntu Bionic) Status: Confirmed => Fix Committed ** Tags added: verification-needed verification-needed-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1790457 Title: kernel: improve spectre mitigation Status in Ubuntu on IBM z Systems: Fix Committed Status in linux package in Ubuntu: Fix Committed Status in qemu package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Committed Status in qemu source package in Bionic: Fix Committed Bug description: [Impact] * eToken Facility will help to mitigate spectre. With it in place use of expolines can be ommitted. Kernel https://github.com/torvalds/linux/commit/aeaf7002a76c8da60c0f503badcbddc07650678c KVM to pass it to guests: https://patchwork.kernel.org/patch/10532197/ * Backport the changes to Qemu/Kernel so that the impact of the spectre fixes can be minimized. [Test Case] * First of all you need HW with the facility available. For HW without nothing should change at all, well maybe a message that it wasn't detected when the new kernel boots. * When running on HW with the Facility and a fixed kernel then the facility should be reported as being available. * With a fixed Kernel AND Qemu this facility should be passed to the guest so that it can benefit from the improvements as well. * Due to a lack of such HW IBM volunteered to do the verification on this bug. [Regression Potential] * Detection and passing of a Facility is nothing new, s390x has plenty of them and this is in some sense "just one more" so regressions should be minimal. The one thing we thought about was how an enabled Kernel/qemu would behave on systems that do not have the facility, but in all tests that was correctly detected and continues to use expoline. [Other Info] * n/a --- Description will follow To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1790457/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1790457] Re: kernel: improve spectre mitigation
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1790457 Title: kernel: improve spectre mitigation Status in Ubuntu on IBM z Systems: Fix Committed Status in linux package in Ubuntu: Fix Committed Status in qemu package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Committed Status in qemu source package in Bionic: Confirmed Bug description: [Impact] * eToken Facility will help to mitigate spectre. With it in place use of expolines can be ommitted. Kernel https://github.com/torvalds/linux/commit/aeaf7002a76c8da60c0f503badcbddc07650678c KVM to pass it to guests: https://patchwork.kernel.org/patch/10532197/ * Backport the changes to Qemu/Kernel so that the impact of the spectre fixes can be minimized. [Test Case] * First of all you need HW with the facility available. For HW without nothing should change at all, well maybe a message that it wasn't detected when the new kernel boots. * When running on HW with the Facility and a fixed kernel then the facility should be reported as being available. * With a fixed Kernel AND Qemu this facility should be passed to the guest so that it can benefit from the improvements as well. * Due to a lack of such HW IBM volunteered to do the verification on this bug. [Regression Potential] * Detection and passing of a Facility is nothing new, s390x has plenty of them and this is in some sense "just one more" so regressions should be minimal. The one thing we thought about was how an enabled Kernel/qemu would behave on systems that do not have the facility, but in all tests that was correctly detected and continues to use expoline. [Other Info] * n/a --- Description will follow To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1790457/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp