View previous topic :: View next topic |
Author |
Message |
Zarhan l33t
Joined: 27 Feb 2004 Posts: 994
|
Posted: Wed Apr 04, 2018 4:37 pm Post subject: Gentoo GCC support for spectre fix |
|
|
Hi,
I just noticed that it seems my kernel (4.14.1 isn't fully protected for Spectre attacks.
# cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
Vulnerable: Minimal generic ASM retpoline
Kernel help says
Requires a compiler with -mindirect-branch=thunk-extern support for full protection.
What USE flag I need to turn on that feature for gcc?
I have the following use flags enabled that are relevant for gcc:
Code: | [ebuild R ] sys-devel/gcc-6.4.0-r1:6.4.0::gentoo USE="cxx fortran (multilib) nls nptl openmp pch pgo (pie) sanitize ssp vtv (-altivec) (-awt) -cilk -debug -doc (-fixed-point) (-gcj) -go -graphite (-hardened) (-jit) (-libssp) -mpx -objc -objc++ -objc-gc -regression-test -vanilla" 0 KiB |
|
|
Back to top |
|
|
guitou Guru
Joined: 02 Oct 2003 Posts: 534 Location: France
|
Posted: Wed Apr 04, 2018 5:11 pm Post subject: |
|
|
Hello.
This is a compiler option, no?: see CFLAGS in your make.conf.
Edit: might require a higher version of gcc too.
++
Gi) |
|
Back to top |
|
|
fedeliallalinea Administrator
Joined: 08 Mar 2003 Posts: 30837 Location: here
|
Posted: Wed Apr 04, 2018 5:15 pm Post subject: |
|
|
I think only gcc 8 (probably but not sure also gcc-7) can use this option _________________ Questions are guaranteed in life; Answers aren't. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54096 Location: 56N 3W
|
Posted: Wed Apr 04, 2018 5:26 pm Post subject: |
|
|
Zarhan,
You need gcc-7.3.x. Its in testing. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
Naib Watchman
Joined: 21 May 2004 Posts: 6051 Location: Removed by Neddy
|
Posted: Wed Apr 04, 2018 6:22 pm Post subject: |
|
|
Code: |
do echo $i, $(cat $i); done
/sys/devices/system/cpu/vulnerabilities/meltdown, Not affected
/sys/devices/system/cpu/vulnerabilities/spectre_v1, Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2, Mitigation: Full AMD retpoline
gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-pc-linux-gnu/7.3.0/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /var/tmp/portage/sys-devel/gcc-7.3.0/work/gcc-7.3.0/configure --host=x86_64-pc-linux-gnu --build=x86_64-pc-linux-gnu --prefix=/usr --bindir=/usr/x86_64-pc-linux-gnu/gcc-bin/7.3.0 --includedir=/usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include --datadir=/usr/share/gcc-data/x86_64-pc-linux-gnu/7.3.0 --mandir=/usr/share/gcc-data/x86_64-pc-linux-gnu/7.3.0/man --infodir=/usr/share/gcc-data/x86_64-pc-linux-gnu/7.3.0/info --with-gxx-include-dir=/usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7 --with-python-dir=/share/gcc-data/x86_64-pc-linux-gnu/7.3.0/python --enable-languages=c,c++,fortran --enable-obsolete --enable-secureplt --disable-werror --with-system-zlib --enable-nls --without-included-gettext --enable-checking=release --with-bugurl=https://bugs.gentoo.org/ --with-pkgversion='Gentoo 7.3.0 p1.0' --disable-esp --enable-libstdcxx-time --enable-shared --enable-threads=posix --enable-__cxa_atexit --enable-clocale=gnu --enable-multilib --with-multilib-list=m32,m64 --disable-altivec --disable-fixed-point --enable-targets=all --disable-libgcj --enable-libgomp --disable-libmudflap --disable-libssp --disable-libcilkrts --disable-libmpx --enable-vtable-verify --enable-libvtv --enable-lto --with-isl --disable-isl-version-check --enable-libsanitizer --enable-default-pie --enable-default-ssp
Thread model: posix
gcc version 7.3.0 (Gentoo 7.3.0 p1.0)
grep CFLAGS /etc/portage/make.conf
#CFLAGS="-O2 -pipe -fomit-frame-pointer -march=native -w ${FLTO} ${GRAPHITE}" #-march=znver1" #haswell" # -ggbd
CFLAGS="-O2 -pipe -fomit-frame-pointer -march=native -fno-lto -mindirect-branch=thunk"
CXXFLAGS="${CFLAGS}"
|
_________________
Quote: | Removed by Chiitoo |
|
|
Back to top |
|
|
Zarhan l33t
Joined: 27 Feb 2004 Posts: 994
|
Posted: Wed Apr 04, 2018 7:19 pm Post subject: |
|
|
Ok, thanks. So I guess users running stable will have to wait a while longer for the proper fix then. |
|
Back to top |
|
|
toralf Developer
Joined: 01 Feb 2004 Posts: 3920 Location: Hamburg
|
Posted: Wed Apr 04, 2018 7:33 pm Post subject: |
|
|
Zarhan wrote: | Ok, thanks. So I guess users running stable will have to wait a while longer for the proper fix then. | Well, what's about keywording and installing gcc-7.3 in parallel to use it only to compile the kernel ? |
|
Back to top |
|
|
|