On 01/31/2018 10:43 PM, Ken Moffat wrote:
If anybody wants to add full retpoline mitigation (against Spectre v2) to an older system, the following works on x86_64 (I no longer have i686 systems to test on). I have tested this on my oldest available system (LFS-7.6, using gcc-4.9.1 and which had used a 3.18 kernel) to prove the approach. That system will never be used to connect to anything external (too many vulnerabilities, in particular its version of openssl is no longer maintained), it is only there in case I want to see if such an old system can build current LFS. So, if it works there it will also work on newer systems! What I do is build a minimal gcc-7.3 in /opt/kgcc and then use that to compile a supported kernel. On that oldest system I used the latest 4.4 kernel, on a less old system I have used the latest 4.9 kernel, and for more recent systems I either use the latest 4.14 or (recent test systems) 4.5.0. If anybody used the HJL gcc patches I posted at the start of the month, using gcc-7.3 provides no benefit. But for everybody else, it will help reduce the attack surface for Spectre v2. 1. gcc-7.3 I based my build on what is in BLFS for gcc-7.2, with the following variations: 1.1 In the configure I changed the prefix and languages to --prefix=/opt/kgc --enable-languages=c and added --disable-bootstrap. Some of the other things can probably be turned off (compare LFS gcc pass 2, e.g. libssp), but this is minimal enough for my purpose. 1.2 Do NOT run the tests - the proof of the pudding is in the eating, either it will compile your kernel successfully, or it won't. 2. The kernel 2.1 Fix up the config (normally, make oldconfig - I keep my configs in the kernel, in /proc/config.gz so I can initialise .config for this). Ensure that retpoline support is selected (it defaults to Y, like PTI). 2.2 If you have configured this source tree before (e.g. for an earlier point release of the same minor version), make clean so that the build-system files where compiler lack of support for retpoline was recorded will be cleared out. 2.3 build the kernel using PATH=/opt/kgcc/bin:$PATH make -jN (N for numbner of cores). 2.4 install modules, if used, and the kernel, add it to grub.cfg so that you can revert to an older kernel if problems. 3. Reboot. You should be able to see the result by running cat /sys/devices/system/cpu/vulnerabilities/spectre_v2 Assuming it worked, run your usual acceptance tests to check that everything you rely on still works. That just leaves Spectre v1 to be addressed.
Thanks a million times, my systems are not that old, but a full upgrade of system gcc to 7.3.0 is still too painful for me. Did your proposed /opt/kcc installation and worked like a charm for 4.14.16. I now can relax a bit, as all my system now have at least two of the three vulnerabilities mitigated.
Bye Tim -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
