FS#57079 - [gcc] add support for x86: CVE-2017-5715, aka Spectre mitigation
Attached to Project:
Arch Linux
Opened by loqs (loqs) - Friday, 12 January 2018, 23:45 GMT
Last edited by Doug Newgard (Scimmia) - Friday, 19 January 2018, 23:35 GMT
Opened by loqs (loqs) - Friday, 12 January 2018, 23:45 GMT
Last edited by Doug Newgard (Scimmia) - Friday, 19 January 2018, 23:35 GMT
|
Details
Description:
https://gcc.gnu.org/ml/gcc-patches/2018-01/msg00422.html describes the patch set for gcc8 the patches ported to gcc can be obtained here https://github.com/hjl-tools/gcc/commits/hjl/indirect/gcc-7-branch/master requires last 8 commits. This would then allow binaries such as the kernel to use patch sets that require -mindirect-branch=thunk-extern -mindirect-branch-register such as https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/ x86/pti branch. This goes against arch policy of waiting for upstream to provide the feature but it seems unlikely that gcc support will be ready by the time kernel upstream starts backporting features that benefit from it. Additional info: * 7.2.1+20171224-2 |
This task depends upon
Closed by Doug Newgard (Scimmia)
Friday, 19 January 2018, 23:35 GMT
Reason for closing: Implemented
Additional comments about closing: gcc 7.2.1+20180116-1
Friday, 19 January 2018, 23:35 GMT
Reason for closing: Implemented
Additional comments about closing: gcc 7.2.1+20180116-1
Comment by loqs (loqs) - Friday, 12
January 2018, 23:46 GMT
Comment by
David McAdoo (geecroof) - Monday,
15 January 2018, 11:00 GMT
Comment by loqs (loqs) - Monday, 15
January 2018, 11:39 GMT
Comment by
Bartłomiej Piotrowski (Barthalion)
- Monday, 15 January 2018, 16:05 GMT
Comment by loqs (loqs) - Monday, 15
January 2018, 18:06 GMT
Comment by loqs (loqs) - Tuesday,
16 January 2018, 12:48 GMT
Should be ported to gcc7 instead of gcc sorry for the error.
I think there is no hurry for that. Developers are still
investigating this and testing new solutions. We can wait for
actual gcc 8 release. Spectre isn't a problem which have to be
resolved asap.
The kernel developers appear to have already chosen this solution
for 4.15 / 4.14.14
https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/queue-4.14/x86-retpoline-add-initial-retpoline-support.patch?id=f6a4718f66d6e6b92a096b11a21b4c028a093b83#n95
however even without the compiler support the patch set still
offers mitigation against some spectre variant 2 attack vectors
https://www.spinics.net/lists/kernel/msg2697678.html
I will backport it next time I touch toolchain. (Looks like
changes are constantly rebased so my concern about maintaining
this went away.)
@Barthalion thank you for investigating the feasibility of this
request. Upstream is now in the process of backporting the patches
to gcc-7-branch
https://gcc.gnu.org/ml/gcc-patches/2018-01/msg01348.html
All relevant commits now appear to be in the gcc-7-branch as of
256742.