Web lists-archives.com

Re: Kernel for Spectre and Meltdown






On 29 January 2018 at 12:49, Michael Fothergill <michael.fothergill@xxxxxxxxx> wrote:


On 29 January 2018 at 10:17, Michael Lange <klappnase@xxxxxxxxxx> wrote:
Hi,

On Mon, 29 Jan 2018 08:35:58 +0000
Michael Fothergill <michael.fothergill@xxxxxxxxx> wrote:

> ​Your need to upgrade to unstable (Debian Sid).  Then you need to get
> the latest kernel from the kernel.org website.
> You also need to install GCC7 in sid which will give you version 7.3.0
> at present.  That is a new enough compiler to be able to properly
> install the spectre and meltdown fixes.

The "meltdown fix" (a.k.a. page tables isolation) is already included in
Stretch's 4.9 kernel.

> Then you need to run the spectre/meltdown checker which you can get
> from a github site and run locally on your box to know it's really
> installed properly.
> AFAICT at present running a kernel with spectre and meltdown protection
> means running debian in the opposite way it is usually billed as to the
> outside world ie unstable for quite some time.

That's not entirely true, you can run Debian Stable / Stretch with a
kernel that was compiled on Sid with gcc-7.3, however it is true that for
now there is no such kernel available for Stretch out-of-the-box and even
installing the latest gcc-7 compiler packages from sid on a Stretch
system is, if possible at all, probably not trivial.

​In the recent MVE thread , I had asked if I could compile the spectre fix kernel in Sid and move to buster (I thought moving down to
stretch would likely not be practical).

The response from Greg was the following:

On Thu, Jan 25, 2018 at 12:36:46PM +0000, Michael Fothergill wrote:
> ​If I become sid and install the kernel correctly, could I go back to being
> just buster (sounds like an energy drink) and carry on using the new kernel?

No.

*******************

At that point I really did seem that:

1. I had no choice but to become sid/unstable here.

​2. I would have to remain being sid for some considerable time running this new fangled kernel.

And so would  anyone else trying to address the spectre problem including new users, as far as I could then.

I was interested specifically in the spectre fix because as an AMD user meltdown is not a vulnerability for me which the spectre-meltdown-checker reminds you
of when you run it.

I then put up a post saying "well I guess I am going to have to upgrade to sid then" or something similar.

The silence was deafening.

So I went ahead and installed GCC 8 (because GCC 7.3 hadn't quite been ported into sid at that point) and tried to compile ​the new spectre fix kernel.

​I now see that maybe the kernel could be more portable once created than it seemed then to me. as has been pointed out above that the OP really ought to have
been made aware of.

Cheers

MF​

 

​That is pretty much what I had been led to believe already except
for the part where you suggest that a kernel compiled in Sid could apparently
be used in stable.  Again, if that would be true I should have mentioned it to the OP; sorry about that.
Apart from that it makes me think that what I posted was perhaps not BS after all.......

Cheers

MF​
 
 

I assume that most likely someone is working on an update to gcc-6 that
will make it possible to compile the latest "spectre fix" into the kernel
with Stretch's default compiler and we will have to wait until that is
done.

I think it is likely though, that a kernel with that fix will be
available soon in the "experimental" suite and could be installed
manually on Stretch.


 

Regards

Michael

.-.. .. ...- .   .-.. --- -. --.   .- -. -..   .--. .-. --- ... .--. . .-.

After a time, you may find that "having" is not so pleasing a thing,
after all, as "wanting."  It is not logical, but it is often true.
                -- Spock, "Amok Time", stardate 3372.7