Re: Compiler with Spectre mitigation retpoline/-mindirect-branch=thunk
- Date: Wed, 31 Jan 2018 07:35:32 +0100
- From: Philipp Hahn <pmhahn@xxxxxxxxx>
- Subject: Re: Compiler with Spectre mitigation retpoline/-mindirect-branch=thunk
Am 30.01.2018 um 08:43 schrieb Robin Geuze:
> I was wondering, are the debian maintainers planning on backporting the
> -mindirect-branch=thunk support introduced in GCC 7.3 and 8.1 to the
> compilers available on Jessie and Stretch? While this is not necessarily
> a security fix for the compiler it does provide that fix to at least
> kernels compiled using it.
I did it for gcc-4.9, which basically boils down to:
> git clone -o hjl -b hjl/indirect/gcc-4_9-branch/master --depth 8 https://github.com/hjl-tools/gcc.git
> git format-patch -7 -o debian/patches/ --src-prefix=a/src/ --dst-prefix=b/src/ -N --no-add-header --suffix=.diff
> filterdiff -p2 -x gcc/doc/invoke.texi -x gcc/doc/extend.texi debian/patches/*.diff
> ls -1 debian/patches/ | sed 's/\.diff//;s/^/debian_patches += /' >>debian/rules.patch
The filterdiff is needed to filter out the GFDL documentation hunks.
Using parallel build (-jX) fails for us, so it takes ~13h to compile
that gcc. I was told to use '-J' instead, but that is not supported by
dpkg-buildpackage in Debian-Stretch :-(
After that just re-compile your Linux kernel.
It hoefully will have
> /sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
That worked for us here at Univention.
PS: Here are the 7 relevant GIT commpits for gcc-4.9 from H.J. Lu's GIT
repository for reference:
> 1fb3a1828fa x86: Disallow -mindirect-branch=/-mfunction-return= with -mcmodel=large
> 7ab5b649f72 x86: Add 'V' register operand modifier
> 5550079949a x86: Add -mindirect-branch-register
> 35590ed7bee x86: Add -mfunction-return=
> e699df5d96f x86: Add -mindirect-branch=
> 2015a09e332 i386: Use reference of struct ix86_frame to avoid copy
> e623d21608e i386: Move struct ix86_frame to machine_function