Public bug reported:
Kernel config 4.15.0-13-generic #14 (and same for 4.15.0-15-generic) is
not OK, because both security mechanisms nobp AND expoline are enabled:
CONFIG_KERNEL_NOBP=y
CONFIG_EXPOLINE=y
# CONFIG_EXPOLINE_OFF is not set
# CONFIG_EXPOLINE_MEDIUM is not set
CONFIG_EXPOLINE_FULL=y
If the kernel is compiled with a gcc that can generate expoline thunks
the correct config is as follows:
# CONFIG_KERNEL_NOBP is not set
CONFIG_EXPOLINE=y
# CONFIG_EXPOLINE_OFF is not set
# CONFIG_EXPOLINE_MEDIUM is not set
CONFIG_EXPOLINE_FULL=y
Alternatively the auto-detection patch can be used which is upstream as
of today:
commit 6e179d64126b909f0b288fa63cdbf07c531e9b1d
s390: add automatic detection of the spectre defense
Automatically decide between nobp vs. expolines if the spectre_v2=auto
kernel parameter is specified or CONFIG_EXPOLINE_AUTO=y is set.
The decision made at boot time due to CONFIG_EXPOLINE_AUTO=y being set
can be overruled with the nobp, nospec and spectre_v2 kernel parameters.
If this patch is used, then the correct config is
# CONFIG_KERNEL_NOBP is not set
CONFIG_EXPOLINE=y
# CONFIG_EXPOLINE_OFF is not set
CONFIG_EXPOLINE_AUTO=y
# CONFIG_EXPOLINE_FULL is not set
This patch goes together with three others, so a total of four patches
would be needed for the latest-and-greated solution:
b2e2f43a01bace1a25bdbae04c9f9846882b727a
6e179d64126b909f0b288fa63cdbf07c531e9b1d
bc035599718412cfba9249aa713f90ef13f13ee9
d424986f1d6b16079b3231db0314923f4f8deed1
** Affects: ubuntu-z-systems
Importance: Critical
Assignee: Canonical Kernel Team (canonical-kernel-team)
Status: Triaged
** Affects: linux (Ubuntu)
Importance: Undecided
Assignee: Skipper Bug Screeners (skipper-screen-team)
Status: New
** Tags: architecture-s39064 bugnameltc-166584 severity-critical
targetmilestone-inin1804
** Tags added: architecture-s39064 bugnameltc-166584 severity-critical
targetmilestone-inin---
** Changed in: ubuntu
Assignee: (unassigned) => Skipper Bug Screeners (skipper-screen-team)
** Package changed: ubuntu => linux (Ubuntu)
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1762719
Title:
System Z {kernel} UBUNTU18.04 wrong kernel config
Status in Ubuntu on IBM z Systems:
Triaged
Status in linux package in Ubuntu:
New
Bug description:
Kernel config 4.15.0-13-generic #14 (and same for 4.15.0-15-generic)
is not OK, because both security mechanisms nobp AND expoline are
enabled:
CONFIG_KERNEL_NOBP=y
CONFIG_EXPOLINE=y
# CONFIG_EXPOLINE_OFF is not set
# CONFIG_EXPOLINE_MEDIUM is not set
CONFIG_EXPOLINE_FULL=y
If the kernel is compiled with a gcc that can generate expoline thunks
the correct config is as follows:
# CONFIG_KERNEL_NOBP is not set
CONFIG_EXPOLINE=y
# CONFIG_EXPOLINE_OFF is not set
# CONFIG_EXPOLINE_MEDIUM is not set
CONFIG_EXPOLINE_FULL=y
Alternatively the auto-detection patch can be used which is upstream
as of today:
commit 6e179d64126b909f0b288fa63cdbf07c531e9b1d
s390: add automatic detection of the spectre defense
Automatically decide between nobp vs. expolines if the spectre_v2=auto
kernel parameter is specified or CONFIG_EXPOLINE_AUTO=y is set.
The decision made at boot time due to CONFIG_EXPOLINE_AUTO=y being set
can be overruled with the nobp, nospec and spectre_v2 kernel parameters.
If this patch is used, then the correct config is
# CONFIG_KERNEL_NOBP is not set
CONFIG_EXPOLINE=y
# CONFIG_EXPOLINE_OFF is not set
CONFIG_EXPOLINE_AUTO=y
# CONFIG_EXPOLINE_FULL is not set
This patch goes together with three others, so a total of four patches
would be needed for the latest-and-greated solution:
b2e2f43a01bace1a25bdbae04c9f9846882b727a
6e179d64126b909f0b288fa63cdbf07c531e9b1d
bc035599718412cfba9249aa713f90ef13f13ee9
d424986f1d6b16079b3231db0314923f4f8deed1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1762719/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp