[LEDE-DEV] Spectre vulnerability & LEDE 17.01 release

Rafał Miłecki zajec5 at gmail.com
Tue Feb 27 02:37:11 PST 2018


There has been some talk on upcoming 17.01 fix release and Meltdown/Spectre.

Quick summary:
1) Most of LEDE supported devices aren't affected
2) For most LEDE use cases these vulnerabilities don't matter
3) 17.01 uses 4.4.116 which includes Meltdown fixes
4) Spectre mitigation requires newer GCC and CPU microcode update
5) Zoltan did some progress on x86 microcode update support

So right now in some specific cases (mostly when running an unverified
software) Spectre may be a problem.

There are two problems solving it:

1) Microcode updates are not (fully) available yet
It's unclear how long it will take Intel to release updates microcodes.

2) GCC officially supports Spectre mitigation in 7.2 and 8.0
LEDE 17.01 uses GCC 5.4. It seems fixes are unofficially backported to the 5.5:
https://github.com/hjl-tools/gcc/commits/hjl/indirect/gcc-5-branch/master
So the only solution for LEDE is to switch from 5.4 to 5.5 and apply
backported fixes. I'm not sure how safe it's going to be (possible
regressions caused by 5.5 update).

If I'm wrong about anything, please let me know.

In this situation my suggestion it to release 17.01.5 now and take
care of Spectre in another release in few months from now. What do you
think? Any objections?

-- 
Rafał



More information about the Lede-dev mailing list