10 Apr
2019
10 Apr
'19
15:56
On Wed, 2019-04-10 at 13:31 +0200, Jiri Slaby wrote:
> On 10. 04. 19, 12:31, Michael Pujos wrote:
> >
> > spectre_v2=retpoline,generic should be the default in my opinion.
> > If
> > good guys at Fedora (and other distros) are using it, so can
> > openSUSE.
>
> They don't even have IBRS support in their kernels AFAIR.
>
FWIW, they seem to have that now, at least, according to this:
> Fedora default: http://termbin.com/0u7o
* Kernel is compiled with IBRS support: YES
* IBRS enabled and active: YES (for kernel and firmware code)
Out of curiosity, I installed kernel-vanilla on Tumbleweed, and there I
have:
$ cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling
# sudo spectre-meltdown-checker.sh
...
CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
* Mitigation 2
> STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability)
Which confirms (if there were any need for that) that it's our own
doing, e.g., in kernel-default...
> retpolines are not complete protection on skylake+.
>
... For this reason, indeed. :-)
Regards
--
Dario Faggioli, Ph.D
http://about.me/dario.faggioli
Virtualization Software Engineer
SUSE Labs, SUSE https://www.suse.com/
-------------------------------------------------------------------
<<This happens because _I_ choose it to happen!>> (Raistlin Majere)