[LEDE-DEV] Spectre vulnerability & LEDE 17.01 release
Hauke Mehrtens
hauke at hauke-m.de
Sun Mar 4 06:36:34 PST 2018
On 02/27/2018 11:37 AM, Rafał Miłecki wrote:
> There has been some talk on upcoming 17.01 fix release and Meltdown/Spectre.
>
> Quick summary:
> 1) Most of LEDE supported devices aren't affected
> 2) For most LEDE use cases these vulnerabilities don't matter
> 3) 17.01 uses 4.4.116 which includes Meltdown fixes
> 4) Spectre mitigation requires newer GCC and CPU microcode update
> 5) Zoltan did some progress on x86 microcode update support
>
> So right now in some specific cases (mostly when running an unverified
> software) Spectre may be a problem.
>
> There are two problems solving it:
>
> 1) Microcode updates are not (fully) available yet
> It's unclear how long it will take Intel to release updates microcodes.
>
> 2) GCC officially supports Spectre mitigation in 7.2 and 8.0
> LEDE 17.01 uses GCC 5.4. It seems fixes are unofficially backported to the 5.5:
> https://github.com/hjl-tools/gcc/commits/hjl/indirect/gcc-5-branch/master
> So the only solution for LEDE is to switch from 5.4 to 5.5 and apply
> backported fixes. I'm not sure how safe it's going to be (possible
> regressions caused by 5.5 update).
>
> If I'm wrong about anything, please let me know.
>
> In this situation my suggestion it to release 17.01.5 now and take
> care of Spectre in another release in few months from now. What do you
> think? Any objections?
I agree with you. We should do the LEDE 17.01.5 release now with the
current state, there are already many other bugfixes in the the lede
17.01 branch some for security problems which probably can be abused
much easier in most of the common OpenWrt uses cases that Spectre.
I would also wait with the ARM Spectre fixes till this code hits the 4.4
LTS kernel tree and then we can release it in lede 17.01.6 in some months.
I am, not sure if we should update the GCC at all or if users that
really want these fixes should go to OpenWrt 18.X.
mbedtls 2.7 fixed 2 security problems in their last release, but this
version is ABI incompatible but API compatible with the previous
version, should I backport the commits or should I increase the
PKG_RELEASE number for all depended packages?
This is my personal opinion on this topic.
Hauke
More information about the Lede-dev
mailing list