DevHeads.net

Meltdown and Spectre

Does anyone know if Red Hat are working on backporting improved mitigation techniques and features from newer, 4.14.14+ kernels?

$ grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Vulnerable: Minimal generic ASM retpoline
$

Comments

Re: Meltdown and Spectre

By Peter Kjellstrom at 02/12/2018 - 12:36

On Mon, 12 Feb 2018 11:13:57 +0000

As it is Redhat has a more comprehensive set of fixes than your 4.14
example above.

For everyone (regardless of microcode etc.) you get PTI and some
additional LFENCE.

For CPUs with microcode support you also get IBRS (restrict speculation)
and IBPB (branch predict barrier).

My understanding is that today for CPUs without microcode support
(most/all since it was revoked) that means slightly less protection (no
retpoline). But for CPUs with support and for Skylake (limited
retpoline usefullness) IBRS+IBPB gives better coverage.

You can view this status in /sys/kernel/debug/x86 (with mounted
debugfs).

The above goes for C6/C7 while Fedora has upstream vanilla stuff.

/Peter