On 31/01/18 14:04, Mick wrote:
Just to dilute my confusion on what I should do to keep desktops safe(r),
would someone please clarify:
Is it necessary to keyword gcc 7.3 + kernel 4.15 and emerge kernel 4.15 with
gcc 7.3, or wait until these versions have been stabilised in the tree?
What gcc version shall I use to update @world from then on?
PS. Some desktops are Intel, some are AMD and I also have 3-4 devices with ARM
in them ...
At the moment, you do need GCC 7.3. However, there is talk about these
new flags being ported to GCC 6 and possibly even older versions.
As for the kernel, you don't need 4.15. 4.14 is the latest LTS kernel,
and it has the needed patches. I think 4.9 (the previous LTS kernel) has
them too.
Currently, once you enable CONFIG_RETPOLINE in the kernel config and
rebuild with GCC 7.3, you should have all currently available kernel
mitigations. Which currently are:
$ cat /sys/devices/system/cpu/vulnerabilities/*
Mitigation: PTI
Vulnerable
Mitigation: Full generic retpoline
However, improvements to these mitigations will from now on happen for
kernel 4.16 first and backported later. 4.16 for example got mitigations
for ARM. It's how kernel upstream works; new stuff is done in the
current development version, and backported later to still supported
versions.