Web lists-archives.com

Re: Kernel for Spectre and Meltdown






On 30 January 2018 at 16:36, Michael Fothergill <michael.fothergill@xxxxxxxxx> wrote:


On 30 January 2018 at 16:02, Michael Fothergill <michael.fothergill@xxxxxxxxx> wrote:


On 30 January 2018 at 15:23, Elimar Riesebieter <riesebie@xxxxxxxx> wrote:
* rhkramer@xxxxxxxxx <rhkramer@xxxxxxxxx> [2018-01-29 10:47 -0500]:

[...]
> On the other hand, if I download kernel source, I would need GCC, and a
> version that is sufficient for the code.

One can check the compiler version the running kernel is built with
by:

$ cat /proc/version
Linux version 4.14.15-toy-lxtec-amd64 (riesebie@toy) (gcc version 7.3.0 (Debian 7.3.0-1)) #1 SMP Tue Jan 30 14:20:49 CET 2018

​That is a very useful command.

I ran it myself.

djt /home/mikef/spectre-meltdown-checker # cat /proc/version
Linux version 4.14.14-gentoo (root@djt) (gcc version 7.2.0 (Gentoo 7.2.0-r1)) #1 SMP Tue Jan 23 13:06:23 GMT 2018

Here is a bit of the output from the spectre patch checker:


​* Mitigation 2
  * Kernel compiled with retpoline option:  YES
  * Kernel compiled with a retpoline-aware compiler:  NO  (kernel reports minimal retpoline compilation)
  * Retpoline enabled:  YES
> STATUS:  VULNERABLE  (Vulnerable: Minimal AMD ASM retpoline)

​As can be seen here, the compiler I used to create this kernel was not recent enough to make retpoline work.

Since I now have gcc 7.3 installed I will do kernel upgrade in a little while and see if I can change the NO in

  "* Kernel compiled with a retpoline-aware compiler:  NO  (kernel reports minimal retpoline compilation)"

to YES.....

I think it will work.

Cheers MF

​I just ran the kernel rebuild:

djt /home/mikef # cat /proc/version
Linux version 4.14.15-gentoo (root@djt) (gcc version 7.3.0 (Gentoo 7.3.0)) #1 SMP Tue Jan 30 16:22:47 GMT 2018

and now the spectre kernel checker says the following:

* Mitigation 2
  * Kernel compiled with retpoline option:  YES
  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
  * Retpoline enabled:  YES
> STATUS:  NOT VULNERABLE  (Mitigation: Full AMD retpoline)

New kernels are going to appear soon with fancier fixes for spectre vulnerabilities if I understand it correctly.

I can now install them right away; and if I want I can downgrade gentoo testing to gentoo stable and do the very same thing.

Cheers

MF

​It has occured to me that two distributions of linux could be useful for the spectre kernel patches right now.

One is sabayon and the other is calculate linux.

Both are gentoo based distributions.  For a new linux user, I think they could have some advantages over e.g. gentoo itself.

Both come with installers so you will avoid the funny learning curve involved in gentoo installs.

Sabayon has its own binary package installer called equo (its answer to apt in debian). AFAICT, you
can avoid installing kernels with emerge (compiling them) if you want; you have a choice.

I think, but I am not 100% sure that you can take the ebuild file for kernel 4.15 from the gentoo kernel source site and install it directly in sabayon.
Calculate linux is similar but does not have the equo package installer.

I notice that it seems Fedora have made kernels with the spectre patch available. Whether they run in the equivalent of the stable version of the distribution I am not sure.

Cheers

MF












 



 








 
                                                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Elimar
--
  You cannot propel yourself forward by
  patting yourself on the back.