FS#57079 - [gcc] add support for x86: CVE-2017-5715, aka Spectre mitigation

Attached to Project: Arch Linux
Opened by loqs (loqs) - Friday, 12 January 2018, 23:45 GMT
Last edited by Doug Newgard (Scimmia) - Friday, 19 January 2018, 23:35 GMT
Task Type Feature Request
Category Packages: Core
Status Closed
Assigned To Bartłomiej Piotrowski (Barthalion)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

Description:
https://gcc.gnu.org/ml/gcc-patches/2018-01/msg00422.html describes the patch set for gcc8
the patches ported to gcc can be obtained here https://github.com/hjl-tools/gcc/commits/hjl/indirect/gcc-7-branch/master requires last 8 commits.
This would then allow binaries such as the kernel to use patch sets that require -mindirect-branch=thunk-extern -mindirect-branch-register
such as https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/ x86/pti branch. This goes against arch policy of waiting for upstream to
provide the feature but it seems unlikely that gcc support will be ready by the time kernel upstream starts backporting features that benefit from it.

Additional info:
* 7.2.1+20171224-2
This task depends upon

Closed by  Doug Newgard (Scimmia)
Friday, 19 January 2018, 23:35 GMT
Reason for closing:  Implemented
Additional comments about closing:  gcc 7.2.1+20180116-1
Comment by loqs (loqs) - Friday, 12 January 2018, 23:46 GMT
Should be ported to gcc7 instead of gcc sorry for the error.
Comment by David McAdoo (geecroof) - Monday, 15 January 2018, 11:00 GMT
I think there is no hurry for that. Developers are still investigating this and testing new solutions. We can wait for actual gcc 8 release. Spectre isn't a problem which have to be resolved asap.
Comment by loqs (loqs) - Monday, 15 January 2018, 11:39 GMT
The kernel developers appear to have already chosen this solution for 4.15 / 4.14.14 https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/queue-4.14/x86-retpoline-add-initial-retpoline-support.patch?id=f6a4718f66d6e6b92a096b11a21b4c028a093b83#n95 however even without the compiler support the patch set still offers mitigation against some spectre variant 2 attack vectors https://www.spinics.net/lists/kernel/msg2697678.html
Comment by Bartłomiej Piotrowski (Barthalion) - Monday, 15 January 2018, 16:05 GMT
I will backport it next time I touch toolchain. (Looks like changes are constantly rebased so my concern about maintaining this went away.)
Comment by loqs (loqs) - Monday, 15 January 2018, 18:06 GMT
@Barthalion thank you for investigating the feasibility of this request. Upstream is now in the process of backporting the patches to gcc-7-branch https://gcc.gnu.org/ml/gcc-patches/2018-01/msg01348.html
Comment by loqs (loqs) - Tuesday, 16 January 2018, 12:48 GMT
All relevant commits now appear to be in the gcc-7-branch as of 256742.

Loading...