-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Marek Marczykowski-Górecki: > On Fri, Feb 23, 2018 at 03:27:38PM -0700, Reg Tiangha wrote: >> I've noticed that Xen has updated the XSA-254 advisory with Spectre v2 >> mitigations for Xen 4.6-4.10. I know we'd have to figure out how to >> backport Retpoline compatible compilers to these various build >> environments in order to get the full protection (Debian has backported >> that support to the gcc versions in jessie and stretch so that implies >> that at least the backported gcc patches are now available), but is >> there any chance that these Xen patches will be incorporated into the >> Qubes versions soon? > >> https://xenbits.xen.org/xsa/advisory-254.html > > Simon, can you take a look at it? We'll probably need to put patched gcc > to linux-dom0-updates repository (if newer Fedora has patched gcc and > it's possible to build that src.rpm on older Fedora), or add separate > repository with patched gcc - then probably indeed based on patches from > Debian.
It seems to be working for me, but the gcc part is a bit tricky. Building a newer gcc src.rpm doesn't sounds like a good idea since the package contains a lot of stuff which probably breaks on a version jump (like libgcc, libstdc++, libasan, ...). My original plan (i.e. before the XSA got updated) was to build an extra gcc just for vmm-xen (and probably linux-kernel). But now I noticed that Debian published backports for gcc-6 and gcc-5, so R3.2 is also covered. So I decided to add those backports to the Fedora gcc package. I got this working now, but it has some caveats: - The Fedora gcc package build seems to be flacky. It failed twice for me with different errors (both verry likely unrelated to the backport patches). Assigning a lot of memory to the build VM got it working ... And I noticed that a bunch of tests are failing but apparently that's not a reason to break the package build ... - Installing the patched gcc required manual intervention in my chroot (didn't tried a fresh chroot yet). For some reasons it only wanted to install it when I told dnf explicitly to install the updated gcc and libgcc. Then dnf was happy (i.e. no more error about dependency problems) - Updating gcc is "all or nothing". So should the (probably unlikely) case occure that the new gcc cases problems with other packages we can't keep using it for vmm-xen but not for other components. Other options: Build an extra package with a current gcc (i.e. 7.3.0). This package would be much smaller (since only C support is needed), so debugging build problems is much easier (if they happen at all). We can switch on a per package base if we want to use the patched gcc (CC=gcc-7). Since this was my plan before knowing about the backports I already done some of the work for this (one search patch issue is not resolved yet). The downside is that the version jump (gcc-6 (or gcc-5 in R3.2) to gcc-7) might create problems with vmm-xen and linux-kernel. Build an extra package with the gcc version as used by Fedora (as above C only). This would avoid the gcc version jump, but it might be trickier to get two variants of gcc with the same version to co-install without path conflicts. What do you think? My current state (variant 1 (i.e. patch main gcc package)): https://github.com/HW42/qubes-vmm-xen/tree/hw42/sp2 https://github.com/HW42/qubes-gcc -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE3E8ezGzG3N1CTQ//kO9xfO/xly8FAlqTIkkACgkQkO9xfO/x ly8aLhAAyUFDvZEpScH8zgYa5sO+1tRrB1YGlsRkcSyUtodcGqEBRL6ZOc0Vwuu9 oKOabryweo+By7AAnehFXdAv5aaI6BZ7pWZs9EPcvCJIphQiX8KSIyzQFRkfg8LL uIBdH60udqsZGZIsZ3vr9hDFxvM2mIeeF9rNJhahvSYHUl438eOmAMEglVTKuU0R OB2ffmtluatXlZdoAapY7+uAkkGCvVpS6zg87y0iWUVGC/EoPxQyrY3qn5uRGeKa 3iB7xb5Hf1THsj4NuDIWHGf2xLWYLkg/N8LoAJG4X8HUGvISlbollA+h0Qw3v/5C EtvvIInTGYkBo8+LXdAka7U3AjUpkGVbYRqNaoB1Si0iCFbCN13jTXT2AUnkRfWd vSbNV3qramZr+TRK75K+b4+M7SxdEFDDc8vjBt3K1WGWwRDl14hxN8Sjh4pyjE8Y ORLt2bQ4COkIaVZutenpRRxWIkuQY4CHvdPGiXTd50i5C0fk8E0fbiYUYndlSUHO f+gmeIaXcOfDnobeUpVOE9kdpqrapqSvsVWYzKnkw94/xMkJCH20V5f0PdJO5iTK nFUqjLua9MP4NyU+QOfYgyaoq8AcU4diUeAh8j1BQ+j6wzPF8VYmgCevpUJihTnD 0nUoBhfspxUsmvMPq2Nb5t8rUXGlisRx6xLvCnikvUSjcZuuZbQ= =IWk8 -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To post to this group, send email to qubes-devel@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/4624db81-9521-812a-88be-8e16b25ac297%40invisiblethingslab.com. For more options, visit https://groups.google.com/d/optout.