[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Meltdown / Spectre
|
From: |
Leo Famulari |
|
Subject: |
Re: Meltdown / Spectre |
|
Date: |
Tue, 9 Jan 2018 23:59:30 -0500 |
|
User-agent: |
Mutt/1.9.2 (2017-12-15) |
On Wed, Jan 10, 2018 at 05:39:59AM +0800, Alex Vong wrote:
> I have an idea. Should we add a news entry to Guix blog[0] summarizing
> all the above? For example, we can advice users to install noscript and
> turn off javascript by default and only enable it on trusted site when
> necessary.
I think it's a good idea to publish an advisory of some sort but I don't
know if I'll have time in the next few days to write it.
> About the "Retpoline" mitigation technique[1]. Right now only GCC 7.2.0
> is patched, but our default gcc version is 5.4.0 in master and 5.5.0 in
> core-updates. So I tried to apply the patches apply the patches to
> 5.5.0. There are totally 17 commits/patches. The first 3 patch can be
> modified to work while the 4th patch cannot be easily modified to work
> because the function ``ix86_nopic_noplt_attribute_p'' is not present on
> 5.5.0. Perhaps discarding the hunk would be fine, but we need to be
> careful about it (maybe running tests make sure the fix really works).
>
> Do you think we should modify the patch to make it work on GCC 5 or
> update core-updates to GCC 7 instead?
So far I haven't had time to read about Retpoline, how it works, and the
degree to which other mitigations work without it. So the following
opinion is from a place of ignorance. I'm very interested to hear what
everyone else thinks about your suggestion.
Having said that, my opinion is that it's too late in this core-updates
cycle to change the default GCC version, especially two major versions,
from 5 to 7.
My impression is that we are relatively close to finishing this cycle.
Changing the default GCC would surely cause lots of new build failures
requiring fixes to affected packages.
There are probably many unpublicized / undiscovered security fixes in
many of the updates on core-updates. It's valuable to deploy those as
quickly as possible. Is it more valuable than waiting until we can build
the packages with GCC 7? I don't know.
Something we can do very easily, even on the master branch, is to build
specific packages with GCC 7, assuming the Retpoline technique would be
effective in that context.
signature.asc
Description: PGP signature
- What do Meltdown and Spectre mean for libreboot x200 user?, Alex Vong, 2018/01/06
- Re: What do Meltdown and Spectre mean for libreboot x200 user?, Mark H Weaver, 2018/01/06
- Meltdown / Spectre, Leo Famulari, 2018/01/06
- Re: Meltdown / Spectre, Mark H Weaver, 2018/01/06
- Re: Meltdown / Spectre, Mark H Weaver, 2018/01/07
- Re: Meltdown / Spectre, Mark H Weaver, 2018/01/07
- Re: Meltdown / Spectre, Alex Vong, 2018/01/09
- Re: Meltdown / Spectre,
Leo Famulari <=
- Re: Meltdown / Spectre, Ludovic Courtès, 2018/01/16
- Re: Meltdown / Spectre, Mark H Weaver, 2018/01/19
- Re: Meltdown / Spectre, Leo Famulari, 2018/01/19
- Re: Meltdown / Spectre, Mark H Weaver, 2018/01/21
- Re: Meltdown / Spectre, Ludovic Courtès, 2018/01/24
- Re: Meltdown / Spectre, Mark H Weaver, 2018/01/24
- Re: Meltdown / Spectre, Mark H Weaver, 2018/01/26
- Re: Meltdown / Spectre, Ludovic Courtès, 2018/01/27
- Re: Meltdown / Spectre, ng0, 2018/01/10
- Re: Meltdown / Spectre, Ludovic Courtès, 2018/01/08