[LEDE-DEV] Spectre vulnerability & LEDE 17.01 release

Florian Fainelli f.fainelli at gmail.com
Tue Feb 27 06:35:38 PST 2018



On 02/27/2018 02:37 AM, Rafał Miłecki wrote:
> There has been some talk on upcoming 17.01 fix release and Meltdown/Spectre.
> 
> Quick summary:
> 1) Most of LEDE supported devices aren't affected
> 2) For most LEDE use cases these vulnerabilities don't matter
> 3) 17.01 uses 4.4.116 which includes Meltdown fixes
> 4) Spectre mitigation requires newer GCC and CPU microcode update
> 5) Zoltan did some progress on x86 microcode update support
> 
> So right now in some specific cases (mostly when running an unverified
> software) Spectre may be a problem.
> 
> There are two problems solving it:
> 
> 1) Microcode updates are not (fully) available yet
> It's unclear how long it will take Intel to release updates microcodes.
> 
> 2) GCC officially supports Spectre mitigation in 7.2 and 8.0
> LEDE 17.01 uses GCC 5.4. It seems fixes are unofficially backported to the 5.5:
> https://github.com/hjl-tools/gcc/commits/hjl/indirect/gcc-5-branch/master
> So the only solution for LEDE is to switch from 5.4 to 5.5 and apply
> backported fixes. I'm not sure how safe it's going to be (possible
> regressions caused by 5.5 update).
> 
> If I'm wrong about anything, please let me know.
> 
> In this situation my suggestion it to release 17.01.5 now and take
> care of Spectre in another release in few months from now. What do you
> think? Any objections?

Your focus appears to be on x86 which is fine, but we also have
Cortex-A9 and Cortex-A15 based platforms that need to get appropriate
spectre v1 and v2 fixes. Patches were posted by ARM but have not been
included yet and I am being told there is another set in the works:

https://patchwork.kernel.org/patch/10195309/
https://patchwork.kernel.org/patch/10195307/
https://patchwork.kernel.org/patch/10195305/
https://patchwork.kernel.org/patch/10195303/
https://patchwork.kernel.org/patch/10195311/
https://patchwork.kernel.org/patch/10195313/

I have not looked at the state of the arm64 targets in 17.01 but those
could also need some fixes,
-- 
Florian



More information about the Lede-dev mailing list