From: Rich Freeman <rich0@gentoo.org>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] PSA: GCC 7.3 allows to build kernel with full Spectre v2 mitigation
Date: Mon, 29 Jan 2018 10:02:29 -0500 [thread overview]
Message-ID: <CAGfcS_=nEr-bXJ5e2_3LAFd-J8mWYBPkTaO44YdUS7gHbVrtUw@mail.gmail.com> (raw)
In-Reply-To: <p4mop9$3e9$1@blaine.gmane.org>
On Mon, Jan 29, 2018 at 4:19 AM, Nikos Chantziaras <realnc@gmail.com> wrote:
> For this to work, you need to enable CONFIG_RETPOLINE in the kernel:
>
> Processor type and features
> [*] Avoid speculative indirect branches in kernel
>
Note that in general upstream recommends enabling these protections
even if your CPU isn't vulnerable. In general the kernel detects at
boot what is needed and they've done some work to try to use the least
invasive solution needed for your particular CPU. Then, if you later
re-use that config on a vulnerable CPU without thinking about it
(perhaps years from now) you won't be left unprotected.
The only really expensive mitigation is for Meltdown (PTI) and it is
disabled automatically on AMD CPUs. The Retpolines are also adjusted
by CPU type.
There is talk of allowing KPTI to be disabled per-process in the
future, which would be the best of both worlds. If you had a database
server you could disable KPTI on the database server process itself
(which does effectively give it root access, though only if exploited
- it isn't going to accidentally mess things up), but still leave the
overall system protected against random processes escalating privs.
If you have a dedicated database server then probably the only process
you truly worry about is the database server itself, so if something
is running malicious code on this process you've already lost whether
it has root access or not. Though, I would probably also point out
that I would use care applying this to containers and not just to VMs,
because the vulnerability would let you cross container boundaries,
but not VMs (assuming you haven't enabled similar exceptions to PTI in
the hypervisor).
--
Rich
next prev parent reply other threads:[~2018-01-29 15:02 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-18 8:28 [gentoo-user] Kernel 4.14.14 has meltdown / spectre info in /sys Adam Carter
2018-01-18 18:31 ` [gentoo-user] " Nikos Chantziaras
2018-01-29 9:19 ` [gentoo-user] PSA: GCC 7.3 allows to build kernel with full Spectre v2 mitigation Nikos Chantziaras
2018-01-29 15:02 ` Rich Freeman [this message]
2018-01-18 19:31 ` [gentoo-user] Re: Kernel 4.14.14 has meltdown / spectre info in /sys Ian Zimmerman
2018-01-18 20:43 ` Rich Freeman
2018-01-18 21:21 ` Adam Carter
2018-01-18 21:22 ` Adam Carter
2018-01-18 22:17 ` Ian Zimmerman
2018-01-18 23:50 ` Adam Carter
2018-01-24 21:51 ` Ian Zimmerman
2018-01-25 6:39 ` Adam Carter
2018-01-25 12:43 ` Rich Freeman
2018-01-22 1:41 ` Corbin Bird
2018-01-22 2:11 ` Rich Freeman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAGfcS_=nEr-bXJ5e2_3LAFd-J8mWYBPkTaO44YdUS7gHbVrtUw@mail.gmail.com' \
--to=rich0@gentoo.org \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox