[LEDE-DEV] Spectre vulnerability & LEDE 17.01 release

Rosen Penev rosenp at gmail.com
Sun Mar 4 09:48:47 PST 2018


On Sun, Mar 4, 2018 at 6:36 AM, Hauke Mehrtens <hauke at hauke-m.de> wrote:
> On 02/27/2018 11:37 AM, Rafał Miłecki wrote:
>> There has been some talk on upcoming 17.01 fix release and Meltdown/Spectre.
>>
>> Quick summary:
>> 1) Most of LEDE supported devices aren't affected
>> 2) For most LEDE use cases these vulnerabilities don't matter
>> 3) 17.01 uses 4.4.116 which includes Meltdown fixes
>> 4) Spectre mitigation requires newer GCC and CPU microcode update
>> 5) Zoltan did some progress on x86 microcode update support
>>
>> So right now in some specific cases (mostly when running an unverified
>> software) Spectre may be a problem.
>>
>> There are two problems solving it:
>>
>> 1) Microcode updates are not (fully) available yet
>> It's unclear how long it will take Intel to release updates microcodes.
>>
>> 2) GCC officially supports Spectre mitigation in 7.2 and 8.0
>> LEDE 17.01 uses GCC 5.4. It seems fixes are unofficially backported to the 5.5:
>> https://github.com/hjl-tools/gcc/commits/hjl/indirect/gcc-5-branch/master
>> So the only solution for LEDE is to switch from 5.4 to 5.5 and apply
>> backported fixes. I'm not sure how safe it's going to be (possible
>> regressions caused by 5.5 update).
>>
>> If I'm wrong about anything, please let me know.
>>
>> In this situation my suggestion it to release 17.01.5 now and take
>> care of Spectre in another release in few months from now. What do you
>> think? Any objections?
>
> I agree with you. We should do the LEDE 17.01.5 release now with the
> current state, there are already many other bugfixes in the the lede
> 17.01 branch some for security problems which probably can be abused
> much easier in most of the common OpenWrt uses cases that Spectre.
>
> I would also wait with the ARM Spectre fixes till this code hits the 4.4
> LTS kernel tree and then we can release it in lede 17.01.6 in some months.
>
> I am, not sure if we should update the GCC at all or if users that
> really want these fixes should go to OpenWrt 18.X.
The MIPS SATA data corruption issue affects kernels 4.9 and above.
17.01 uses 4.4 i believe.

I vote for leaving GCC at 5.5.
>
> mbedtls 2.7 fixed 2 security problems in their last release, but this
> version is ABI incompatible but API compatible with the previous
> version, should I backport the commits or should I increase the
> PKG_RELEASE number for all depended packages?
>
> This is my personal opinion on this topic.
>
> Hauke
>
> _______________________________________________
> Lede-dev mailing list
> Lede-dev at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/lede-dev



More information about the Lede-dev mailing list