Announcement

Collapse
No announcement yet.

Retpoline Backported To Linux 4.9, Linux 4.14 Kernels

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Retpoline Backported To Linux 4.9, Linux 4.14 Kernels

    Phoronix: Retpoline Backported To Linux 4.9, Linux 4.14 Kernels

    Retpoline support for mitigating the Spectre vulnerabilities will soon be present in the Linux 4.9 and 4.14 stable kernels...

    http://www.phoronix.com/scan.php?pag...4.14-Retpoline

  • #2
    This Retpoline support will be found in the soon-to-be-released Linux 4.9.77 and 4.14.14 kernels. As of writing Retpoline support hasn't been added to Linux 4.15 Git.
    Is this some kind of typo for 4.15 or what

    Comment


    • #3
      So no kernels Canonical is using...

      Comment


      • #4
        Since Retpoline seems to be ineffective on Skylake an up (found this via Google: https://lwn.net/Articles/743019/ ), what is the connection between Google Retpoline and Intels IBRS Microcode enhancements + patches? What is merged and what not? Should someone use IBRS or Retpoline? Does the Kernel pick the right way or do I have to do something?

        Comment


        • #5
          Originally posted by [email protected] View Post
          So no kernels Canonical is using...
          Upstream only supports the following kernels. https://www.kernel.org/category/releases.html
          Canonical has to maintain their own kernel and backports fixes. I am sure they have no problem backporting fixes to their kernel.
          On the long run though, it may be better though for Canonical to use upstream LTS kernels for LTS versions of Ubuntu.
          SuSE uses 4.4. google uses 3.18 and 4.4 for example. Debian uses 4.9.

          Comment


          • #6
            Michael thanks for the update. Can you clarify if this is already in the 4.14.14 release candidate stable branch over git.

            Comment


            • #7
              Originally posted by Kayote View Post
              Michael thanks for the update. Can you clarify if this is already in the 4.14.14 release candidate stable branch over git.
              Yes: https://git.kernel.org/pub/scm/linux...h=linux-4.14.y
              Michael Larabel
              http://www.michaellarabel.com/

              Comment


              • #8
                "For full support you also need to be building the kernel with a newer GCC compiler containing -mindirect-branch=thunk-extern support."

                Shouldn't the kernel config automatically pick up that flag like it does for -march when selecting "Core 2 or newer architecture"? Do I really need to manually specify it?
                ## VGA ##
                AMD: X1950XTX, HD3870, HD5870
                Intel: GMA45, HD3000 (Core i5 2500K)

                Comment


                • #9
                  Originally posted by -MacNuke- View Post
                  Since Retpoline seems to be ineffective on Skylake an up (found this via Google: https://lwn.net/Articles/743019/ ), what is the connection between Google Retpoline and Intels IBRS Microcode enhancements + patches? What is merged and what not? Should someone use IBRS or Retpoline? Does the Kernel pick the right way or do I have to do something?


                  According to the lwn link, it's "...Speculation on Skylake and later requires these patches ("dynamic IBRS")
                  be used instead of retpoline..." and this Google doc says what the options are: https://docs.google.com/document/d/e...jlLKRtKRbd/pub Seems like retpoline will be slower in the future if you have newer Intel processors, and can keep IBRS always on. For older/all Intel processors currently, you might have a choice between retpoline and "dynamic IBRS". I imagine if you don't turn anything off, with default settings, the faster protection will automatically be turned on during kernel boot.


                  So, for Ubuntu 16.04, if you want all the fixes at the earliest, GCC 7.3 or 8 will end up here: https://launchpad.net/~jonathonf, then compile 4.14.14... for retpoline/IBRS for variant 2. Variant 1 patches are also to GCC 7.3/8. There was a intel-microcode update pushed out. Not sure when Ubuntu will push out patched gcc4/5 and new binaries for all packages.
                  Last edited by audir8; 01-15-2018, 12:13 PM.

                  Comment


                  • #10
                    remember. if using AMD add noretpoline to boot options, the issue isn't exploitable on default settings

                    Comment

                    Working...
                    X