guix-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: What do Meltdown and Spectre mean for libreboot x200 user?


From: Mark H Weaver
Subject: Re: What do Meltdown and Spectre mean for libreboot x200 user?
Date: Sat, 06 Jan 2018 12:23:51 -0500
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)

Hi Alex,

Alex Vong <address@hidden> writes:
> I hope this is on topic. Recently, 2 critical vulnerabilities (see
> https://meltdownattack.com/) affecting virtually all intel cpus are
> discovered. I am running libreboot x200 (see
> https://www.fsf.org/ryf). What should I do right now to patch my laptop?

I haven't yet had time to properly study this, but so far I'd strongly
recommend updating to linux-libre-4.14.12, which contains an important
mitigation called kernel page-table isolation (KPTI).
linux-libre-4.9.75 also contains backported mitigations, but I'm not
sure if they're as comprehensive.

Alan Cox also says that Javascript can be used to remotely exploit these
vulnerabilities, so you should use the NoScript web browser extension if
you're not already doing so.  Enable Javascript only when you must.  He
wrote:

  What you do need to care about _big_ _time_ is javascript because the
  exploit can be remotely used by javascript on web pages to steal stuff
  from your system memory. Mozilla and Chrome both have pending
  updates. and some recommendations about protection. Also consider
  things like Adblockers and extensions like noscript that can stop a
  lot of junk running in the first place. Do that ASAP.

  https://plus.google.com/+AlanCoxLinux/posts/Z6inLSq4iqH

We (GNU Guix developers) should also start investigating how to deploy
the "Retpoline" mitigation technique, which apparently involves patching
our linker and recompiling our entire system with it, but it will take
some time to do that.

  https://support.google.com/faqs/answer/7625886

      Mark



reply via email to

[Prev in Thread] Current Thread [Next in Thread]