Re: Meltdown / Spectre

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Meltdown / Spectre

From:	Ludovic Courtès
Subject:	Re: Meltdown / Spectre
Date:	Tue, 16 Jan 2018 11:57:11 +0100
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)

Hello,

Leo Famulari <address@hidden> skribis:

> On Wed, Jan 10, 2018 at 05:39:59AM +0800, Alex Vong wrote:
>> I have an idea. Should we add a news entry to Guix blog[0] summarizing
>> all the above? For example, we can advice users to install noscript and
>> turn off javascript by default and only enable it on trusted site when
>> necessary.
>
> I think it's a good idea to publish an advisory of some sort but I don't
> know if I'll have time in the next few days to write it.

It’s a good idea.  I think the message you sent at the beginning of this
thread would be a good start.  Not much more needs to be added at this
point, IMO.

>> About the "Retpoline" mitigation technique[1]. Right now only GCC 7.2.0
>> is patched, but our default gcc version is 5.4.0 in master and 5.5.0 in
>> core-updates.  So I tried to apply the patches apply the patches to
>> 5.5.0. There are totally 17 commits/patches. The first 3 patch can be
>> modified to work while the 4th patch cannot be easily modified to work
>> because the function ``ix86_nopic_noplt_attribute_p'' is not present on
>> 5.5.0. Perhaps discarding the hunk would be fine, but we need to be
>> careful about it (maybe running tests make sure the fix really works).
>> 
>> Do you think we should modify the patch to make it work on GCC 5 or
>> update core-updates to GCC 7 instead?
>
> So far I haven't had time to read about Retpoline, how it works, and the
> degree to which other mitigations work without it. So the following
> opinion is from a place of ignorance. I'm very interested to hear what
> everyone else thinks about your suggestion.
>
> Having said that, my opinion is that it's too late in this core-updates
> cycle to change the default GCC version, especially two major versions,
> from 5 to 7.

No doubt about it.  :-)

> Something we can do very easily, even on the master branch, is to build
> specific packages with GCC 7, assuming the Retpoline technique would be
> effective in that context.

Yes, I see Alex submitted a patch already.

Thanks,
Ludo’.

[Prev in Thread]

Current Thread

[Next in Thread]

What do Meltdown and Spectre mean for libreboot x200 user?, Alex Vong, 2018/01/06
- Re: What do Meltdown and Spectre mean for libreboot x200 user?, Mark H Weaver, 2018/01/06
- Meltdown / Spectre, Leo Famulari, 2018/01/06
  - Re: Meltdown / Spectre, Mark H Weaver, 2018/01/06
    - Re: Meltdown / Spectre, Mark H Weaver, 2018/01/07
    - Re: Meltdown / Spectre, Mark H Weaver, 2018/01/07
    - Re: Meltdown / Spectre, Alex Vong, 2018/01/09
    - Re: Meltdown / Spectre, Leo Famulari, 2018/01/10
    - Re: Meltdown / Spectre, Ludovic Courtès <=
    - Re: Meltdown / Spectre, Mark H Weaver, 2018/01/19
    - Re: Meltdown / Spectre, Leo Famulari, 2018/01/19
    - Re: Meltdown / Spectre, Mark H Weaver, 2018/01/21
    - Re: Meltdown / Spectre, Ludovic Courtès, 2018/01/24
    - Re: Meltdown / Spectre, Mark H Weaver, 2018/01/24
    - Re: Meltdown / Spectre, Mark H Weaver, 2018/01/26
    - Re: Meltdown / Spectre, Ludovic Courtès, 2018/01/27
    - Re: Meltdown / Spectre, ng0, 2018/01/10
    - Re: Meltdown / Spectre, Ludovic Courtès, 2018/01/08
    - Re: Meltdown / Spectre, Leo Famulari, 2018/01/10

Prev by Date: Re: Meltdown / Spectre
Next by Date: Re: FOSDEM 2018 and announcing a GNU Guix/Guile day!
Previous by thread: Re: Meltdown / Spectre
Next by thread: Re: Meltdown / Spectre
Index(es):
- Date
- Thread