Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Gentoo GCC support for spectre fix
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Zarhan
l33t
l33t


Joined: 27 Feb 2004
Posts: 960

PostPosted: Wed Apr 04, 2018 4:37 pm    Post subject: Gentoo GCC support for spectre fix Reply with quote

Hi,

I just noticed that it seems my kernel (4.14.18) isn't fully protected for Spectre attacks.

# cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
Vulnerable: Minimal generic ASM retpoline

Kernel help says

Requires a compiler with -mindirect-branch=thunk-extern support for full protection.

What USE flag I need to turn on that feature for gcc?

I have the following use flags enabled that are relevant for gcc:

Code:
[ebuild   R    ] sys-devel/gcc-6.4.0-r1:6.4.0::gentoo  USE="cxx fortran (multilib) nls nptl openmp pch pgo (pie) sanitize ssp vtv (-altivec) (-awt) -cilk -debug -doc (-fixed-point) (-gcj) -go -graphite (-hardened) (-jit) (-libssp) -mpx -objc -objc++ -objc-gc -regression-test -vanilla" 0 KiB
Back to top
View user's profile Send private message
guitou
Guru
Guru


Joined: 02 Oct 2003
Posts: 351
Location: France

PostPosted: Wed Apr 04, 2018 5:11 pm    Post subject: Reply with quote

Hello.

This is a compiler option, no?: see CFLAGS in your make.conf.

Edit: might require a higher version of gcc too.

++
Gi)
Back to top
View user's profile Send private message
fedeliallalinea
Bodhisattva
Bodhisattva


Joined: 08 Mar 2003
Posts: 18805
Location: here

PostPosted: Wed Apr 04, 2018 5:15 pm    Post subject: Reply with quote

I think only gcc 8 (probably but not sure also gcc-7) can use this option
_________________
Questions are guaranteed in life; Answers aren't.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 40808
Location: 56N 3W

PostPosted: Wed Apr 04, 2018 5:26 pm    Post subject: Reply with quote

Zarhan,

You need gcc-7.3.x. Its in testing.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 5290
Location: Removed by Neddy

PostPosted: Wed Apr 04, 2018 6:22 pm    Post subject: Reply with quote

Code:

 do echo $i, $(cat $i); done
/sys/devices/system/cpu/vulnerabilities/meltdown, Not affected
/sys/devices/system/cpu/vulnerabilities/spectre_v1, Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2, Mitigation: Full AMD retpoline


gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-pc-linux-gnu/7.3.0/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /var/tmp/portage/sys-devel/gcc-7.3.0/work/gcc-7.3.0/configure --host=x86_64-pc-linux-gnu --build=x86_64-pc-linux-gnu --prefix=/usr --bindir=/usr/x86_64-pc-linux-gnu/gcc-bin/7.3.0 --includedir=/usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include --datadir=/usr/share/gcc-data/x86_64-pc-linux-gnu/7.3.0 --mandir=/usr/share/gcc-data/x86_64-pc-linux-gnu/7.3.0/man --infodir=/usr/share/gcc-data/x86_64-pc-linux-gnu/7.3.0/info --with-gxx-include-dir=/usr/lib/gcc/x86_64-pc-linux-gnu/7.3.0/include/g++-v7 --with-python-dir=/share/gcc-data/x86_64-pc-linux-gnu/7.3.0/python --enable-languages=c,c++,fortran --enable-obsolete --enable-secureplt --disable-werror --with-system-zlib --enable-nls --without-included-gettext --enable-checking=release --with-bugurl=https://bugs.gentoo.org/ --with-pkgversion='Gentoo 7.3.0 p1.0' --disable-esp --enable-libstdcxx-time --enable-shared --enable-threads=posix --enable-__cxa_atexit --enable-clocale=gnu --enable-multilib --with-multilib-list=m32,m64 --disable-altivec --disable-fixed-point --enable-targets=all --disable-libgcj --enable-libgomp --disable-libmudflap --disable-libssp --disable-libcilkrts --disable-libmpx --enable-vtable-verify --enable-libvtv --enable-lto --with-isl --disable-isl-version-check --enable-libsanitizer --enable-default-pie --enable-default-ssp
Thread model: posix
gcc version 7.3.0 (Gentoo 7.3.0 p1.0)

grep CFLAGS /etc/portage/make.conf
#CFLAGS="-O2 -pipe -fomit-frame-pointer -march=native  -w ${FLTO} ${GRAPHITE}" #-march=znver1" #haswell" # -ggbd
CFLAGS="-O2 -pipe -fomit-frame-pointer -march=native -fno-lto -mindirect-branch=thunk"
CXXFLAGS="${CFLAGS}"

_________________
The best argument against democracy is a five-minute conversation with the average voter
Great Britain is a republic, with a hereditary president, while the United States is a monarchy with an elective king
Back to top
View user's profile Send private message
Zarhan
l33t
l33t


Joined: 27 Feb 2004
Posts: 960

PostPosted: Wed Apr 04, 2018 7:19 pm    Post subject: Reply with quote

Ok, thanks. So I guess users running stable will have to wait a while longer for the proper fix then.
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3554
Location: Hamburg

PostPosted: Wed Apr 04, 2018 7:33 pm    Post subject: Reply with quote

Zarhan wrote:
Ok, thanks. So I guess users running stable will have to wait a while longer for the proper fix then.
Well, what's about keywording and installing gcc-7.3 in parallel to use it only to compile the kernel ?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum