| View previous topic :: View next topic |
| Author |
Message |
Marcih
Apprentice
Joined: 19 Feb 2018
Posts: 213
|
 Posted: Mon Aug 20, 2018 8:32 am Post subject: Sudden flurry of (stable) kernel updates |
 |
|
It seems like yesterday that we were stuck on 4.9.76-r1 for months, no retpoline (and for me personally, no workaround for my buggy BIOS/DSDT tables that was introduced in later kernel releases). We then finally got 4.9.95 stabilised and not too long afterwards 4.14.52 was marked stable. And all was good in the world.
Except for the past week or so where we've been getting almost daily kernel sources updates in the stable branch; in fact, as of writing this, gentoo-sources is up to date with kernel.org's latest 4.14 release (and 4.9 is not far behind)!
My question: is this the new standard, immediately stabilising whatever gets released (in the LTS branch)? If so, is there any point to keeping up with the latest releases? I've compiled 4.14.63-r1 just yesterday, I wake up today and yay, new kernel release! Am I safe in just masking anything above that for a couple of months? Is there any changelog I can follow so I can decide which versions are worth (to me) upgrading to?
You know, kernel updates are like Christmas; they were exciting when they came once a year but get tiring and lose their charm really quickly when they come every day. 
_________________
| Bones McCracker wrote: | | It wouldn't be so bad, if it didn't suck. |
| NeddySeagoon wrote: | | The problem with leaving is that you can only do it once and it reduces your influence. |
|
|
| Back to top |
|
 |
Leio
Developer
Joined: 27 Feb 2003
Posts: 494
Location: Estonia
|
| Posted: Mon Aug 20, 2018 10:30 am Post subject: |
|
|
They have follow-up fixes to the latest round of security fixes (l1tf), very relevant to intel CPUs. I would upgrade immediately on Intel and queue an upgrade at some point for AMD when things calm down (say in a week, not more).
_________________
GNOME team lead; GStreamer; MIPS/ARM64 |
|
| Back to top |
|
|
Marcih
Apprentice
Joined: 19 Feb 2018
Posts: 213
|
| Posted: Mon Aug 20, 2018 2:17 pm Post subject: |
|
|
| Leio wrote: | | They have follow-up fixes to the latest round of security fixes (l1tf), very relevant to intel CPUs. I would upgrade immediately on Intel and queue an upgrade at some point for AMD when things calm down (say in a week, not more). |
By Intel CPUs you mean only recent-ish (Nehalem onwards), right? The L1TF Intel SA lists only those and since the machine I had in mind with my post has an ancient (by today's standards) Dothan Pentium M, I assume I'm not in any immediate need of the new fixes.
_________________
| Bones McCracker wrote: | | It wouldn't be so bad, if it didn't suck. |
| NeddySeagoon wrote: | | The problem with leaving is that you can only do it once and it reduces your influence. |
|
|
| Back to top |
|
|
Leio
Developer
Joined: 27 Feb 2003
Posts: 494
Location: Estonia
|
| Posted: Tue Aug 21, 2018 5:45 am Post subject: |
|
|
| Code: | | grep . /sys/devices/system/cpu/vulnerabilities/* |
as root?
_________________
GNOME team lead; GStreamer; MIPS/ARM64 |
|
| Back to top |
|
|
Marcih
Apprentice
Joined: 19 Feb 2018
Posts: 213
|
| Posted: Tue Aug 21, 2018 9:14 am Post subject: |
|
|
| Code: | # grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/l1tf:Vulnerable
/sys/devices/system/cpu/vulnerabilities/meltdown:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
# uname -r
4.14.63-gentoo-r1
# gcc-config -l
[1] i686-pc-linux-gnu-7.3.0 *
# LANG="C" lscpu
Architecture: i686
CPU op-mode(s): 32-bit
Byte Order: Little Endian
CPU(s): 1
On-line CPU(s) list: 0
Thread(s) per core: 1
Core(s) per socket: 1
Socket(s): 1
Vendor ID: GenuineIntel
CPU family: 6
Model: 13
Model name: Intel(R) Pentium(R) M processor 2.13GHz
Stepping: 8
CPU MHz: 800.000
CPU max MHz: 2133.0000
CPU min MHz: 800.0000
BogoMIPS: 1596.51
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov clflush dts acpi mmx fxsr sse sse2 ss tm pbe nx bts cpuid est tm2
|
Huh... I was under the impression that everything post P6 was vulnerable but looking it up now it looks like P6-based processors are too. Nevertheless, I also thought Meltdown was mitigated by retpoline or other patches back around the start of the year when the vulns were first disclosed.
Advice on mitigations? What did I do wrong?
EDIT: Added lscpu output.
_________________
| Bones McCracker wrote: | | It wouldn't be so bad, if it didn't suck. |
| NeddySeagoon wrote: | | The problem with leaving is that you can only do it once and it reduces your influence. |
|
|
| Back to top |
|
|
tholin
Apprentice
Joined: 04 Oct 2008
Posts: 203
|
| Posted: Tue Aug 21, 2018 11:51 am Post subject: |
|
|
| Marcih wrote: | Nevertheless, I also thought Meltdown was mitigated by retpoline or other patches back around the start of the year when the vulns were first disclosed.
|
Retpoline is used for mitigating spectre_v2 and nothing else. The PTI (page-table isolation) patch is used for mitigating meltdown but only on 64-bit systems. 32-bit systems have been ignored for along time but it looks like they will get PTI support in kernel 4.19.
https://www.phoronix.com/scan.php?page=news_item&px=Linux-4.19-PTI-x86-32-Lands
| Marcih wrote: | What did I do wrong?
|
Your system is very old. If it's vulnerable it probably don't have the needed microcode updates to fully mitigate l1tf, spec_store_bypass and spectre_v2. There isn't much you can do about that. |
|
| Back to top |
|
|
Marcih
Apprentice
Joined: 19 Feb 2018
Posts: 213
|
| Posted: Tue Aug 21, 2018 6:36 pm Post subject: |
|
|
| tholin wrote: | | Retpoline is used for mitigating spectre_v2 and nothing else. The PTI (page-table isolation) patch is used for mitigating meltdown but only on 64-bit systems. 32-bit systems have been ignored for along time but it looks like they will get PTI support in kernel 4.19. |
Ah that was it, page-table isolation. Yeah I was wondering why my x86-64 system was reported to have full mitigations for all 4 (5 if you count 3a) Spectre variants and Meltdown (microcode updates were obviously released and applied for that to have been the case) but this one is pretty much swiss cheese. Hey, at least no ME...? 
Well that sounds absolutely delightful, it's not like it's been a pain up 'til now to compile bigger packages (and my system is pretty minimal mind you, the packages that take the longest to compile are system packages like clang or llvm). 
| tholin wrote: | | Your system is very old. If it's vulnerable it probably don't have the needed microcode updates to fully mitigate l1tf, spec_store_bypass and spectre_v2. There isn't much you can do about that. |
I never even dreamed of getting ucode updates from Intel, it was a miracle they had support as far back as Sandy Bridge (and even further? Nehalem? Penryn? Core?! The sky's the limit!). I was rather hoping for partial mitigations done by the kernel.
_________________
| Bones McCracker wrote: | | It wouldn't be so bad, if it didn't suck. |
| NeddySeagoon wrote: | | The problem with leaving is that you can only do it once and it reduces your influence. |
|
|
| Back to top |
|
|
|
Kernel & Hardware
