This commit updates to kernel version 4.9.75 and enables
CONFIG_PAGE_TABLE_ISOLATION for x86, x86_64 and aarch64. For all
other architectures, CONFIG_PAGE_TABLE_ISOLATION is disabled.
CONFIG_PAGE_TABLE_ISOLATION mitigates the Meltdown security flaw
almost all Intel CPUs and some ARM CPUs are suspect to [1,2].
(This patch does not solve the Spectre security threat [2], which
affects also non-Intel CPUs [3].)
I believe this commit will cause some discussion, especially the
following points seem worth discussing:
a) CONFIG_PAGE_TABLE_ISOLATION has a performance impact on
syscalls, which can slow down specific applications
significantly. AMD users might benefit from a kernel without
KPTI (unless Meltdown turns out to affect them as well)
b) Is disabling this feature a reasonable choice for CPU
architectures different from x86, x86_64 and aarch64?
[1]: https://meltdownattack.com/#faq-systems-meltdown
[2]: http://kroah.com/log/blog/2018/01/06/meltdown-status/
[3]: https://meltdownattack.com/#faq-systems-spectre
---
main/linux-vanilla/APKBUILD | 18 +++++++++---------
main/linux-vanilla/config-vanilla.aarch64 | 1 +
main/linux-vanilla/config-vanilla.armhf | 1 +
main/linux-vanilla/config-vanilla.ppc | 1 +
main/linux-vanilla/config-vanilla.ppc64le | 1 +
main/linux-vanilla/config-vanilla.s390x | 1 +
main/linux-vanilla/config-vanilla.x86 | 1 +
main/linux-vanilla/config-vanilla.x86_64 | 1 +
8 files changed, 16 insertions(+), 9 deletions(-)
diff --git a/main/linux-vanilla/APKBUILD b/main/linux-vanilla/APKBUILD
index 1366f11ed0..bbe4dd83d9 100644
--- a/main/linux-vanilla/APKBUILD
+++ b/main/linux-vanilla/APKBUILD
@@ -2,7 +2,7 @@
_flavor=vanilla
pkgname=linux-${_flavor}
-pkgver=4.9.73
+pkgver=4.9.75
case $pkgver in
*.*.*) _kernver=${pkgver%.*};;
*.*) _kernver=$pkgver;;
@@ -174,11 +174,11 @@ dev() {
sha512sums="bf67ff812cc3cb7e5059e82cc5db0d9a7c5637f7ed9a42e4730c715bf7047c81ed3a571225f92a33ef0b6d65f35595bc32d773356646df2627da55e9bc7f1f1a linux-4.9.tar.xz
5373728be2b507c3db5e042e1d768740df7965078868afdc46418b1adc4cae3d8f9f1aedb59975a0f2acf8754340499354fcf97c503397a5d9886ccc9689b782 0001-HID-apple-fix-Fn-key-Magic-Keyboard-on-bluetooth.patch
-d552c5ab3b128cb1b4185aaa3ed27cd92070c2ba5f414747730c1915da432d1f930f81543737b902771967b02da8b41374d8b39518e5443aeaadeaa28153ae36 config-vanilla.aarch64
-8db3d9029dffc972d881ffdccbb6afcc02cdb5ccf6a571634e1c1b72552617903ee3e1c87b8971ef1c7143c0ddfcb8e1f21b45c68afeef88d5ff36bb768c8c96 config-vanilla.armhf
-6e1d79ebd2113e02881aec39eb4d243761d78be9c736b0ce5ddf1721e65d411a17c866c9f5f9a253e46017d6e7c0b93b7220233780e46e18e29de705f2e543f7 config-vanilla.x86
-0a283ad25b8e0242e9904c8737d2fef9919faf8f4aa9bb3ffc65a9e144ba5d2e37dddf17b68cd9d717d73993b340634361b9a1354bb01207f2f668c73addc751 config-vanilla.x86_64
-ee565e219530bcfaf5cade2622432cfb83743bdbbfc388781901461f19ca553b7fdee3c81ce6b34225ef78a209eb60088630284fcbb0430947aad77a5d8a0865 config-vanilla.ppc
-faf5216f916946025041c5b8ffacce2586c88c7d796c17fb9762a8a58986dce7e923a7eb7a413cbd830afef022b18c40b25f4dcd4c9c81253c9aa3e98001b2b0 config-vanilla.ppc64le
-26969c1ed93cb88a8b12330a2984954d6c20ef973ef619cf92c0543ab075f4e3342c7d6275ccecd475c5b6129ccfdd6054b41f504bd82e14eb9cefbd74aa1b90 config-vanilla.s390x
-ae0149e43bcbdd496ce304ae6db84dd6d2f7315a84ef6b7d9b2f292f8b7ac8fe9f2a8406655402e832f0ad85828dfe635ac6207333530a95265c281faa6a973d patch-4.9.73.xz"
+cdefa950e81b3e4f810210243393841849adc08050e28f2abdc9ac34ec1421aa54b52e08272f990b3f8b10d1e6b9a307f4732d1d55ec838c5271937449fe9cfc config-vanilla.aarch64
+b74f8be311d63db0740439345b0ef10fa8a7faf147b3702a29276d872ebdbe21cc17947201fe12caf26ecb67f40425599357a58e52a5f4cc6a8d652c7cf02a27 config-vanilla.armhf
+c73b3d4cae161d6795b0f9b2bf3cc31530177bb33f69ca6e61b0033dd390206f59781875960199057bfcfcef56993b591da3be69beed9d9e628ec56e00bd89fb config-vanilla.x86
+7724c1777f8072d08ec061aa6ad664399de5405c55d8c0f927a818c431b1f11bd57132267a6220ed89e6d8083208f3d5011e2150346de994f7f141de16e7106c config-vanilla.x86_64
+6ab7c375581d0d4b98aa4c8f52060fc2f3f6ffb2de39cb10504e6d82696ba6d3231ac7c0874a9614878b7b4e262e59610edd822f5be74ca148beabc737574565 config-vanilla.ppc
+fdc815e1de1a8d25b45d3c40caeacb768d2930d3bef8a8914d164cf072712bf77a09ba36636838d6055357bcb09ff033f0e06d9c467600eddccb886afa5a8096 config-vanilla.ppc64le
+4439818ef7e947614026159e76af56b311a00327f614a69fca96e9c143b3473190a161d7431576987278b95f288cf1a438c2b215b43f503fca2a40e544a54c0f config-vanilla.s390x
+4dbf9b7c6da142b63506542c0f1c5f0f3d4bb22c5291d4d99bcfc3945691ab5f969ce16b1d1a30553ba002feb3de66a9c39c1cf9c51a6c315e8820bc8853d221 patch-4.9.75.xz"
diff --git a/main/linux-vanilla/config-vanilla.aarch64 b/main/linux-vanilla/config-vanilla.aarch64
index cef31f02d9..32345b96cb 100644
--- a/main/linux-vanilla/config-vanilla.aarch64
+++ b/main/linux-vanilla/config-vanilla.aarch64
@@ -6752,6 +6752,7 @@ CONFIG_ENCRYPTED_KEYS=m
CONFIG_KEY_DH_OPERATIONS=y
# CONFIG_SECURITY_DMESG_RESTRICT is not set
CONFIG_SECURITY=y
+CONFIG_PAGE_TABLE_ISOLATION=y
CONFIG_SECURITYFS=y
# CONFIG_SECURITY_NETWORK is not set
# CONFIG_SECURITY_PATH is not set
diff --git a/main/linux-vanilla/config-vanilla.armhf b/main/linux-vanilla/config-vanilla.armhf
index 3f84285fda..08ad78f912 100644
--- a/main/linux-vanilla/config-vanilla.armhf
+++ b/main/linux-vanilla/config-vanilla.armhf
@@ -5568,6 +5568,7 @@ CONFIG_ENCRYPTED_KEYS=m
CONFIG_KEY_DH_OPERATIONS=y
# CONFIG_SECURITY_DMESG_RESTRICT is not set
CONFIG_SECURITY=y
+CONFIG_PAGE_TABLE_ISOLATION=n
CONFIG_SECURITYFS=y
# CONFIG_SECURITY_NETWORK is not set
# CONFIG_SECURITY_PATH is not set
diff --git a/main/linux-vanilla/config-vanilla.ppc b/main/linux-vanilla/config-vanilla.ppc
index 172a8c1665..43560bd0a8 100644
--- a/main/linux-vanilla/config-vanilla.ppc
+++ b/main/linux-vanilla/config-vanilla.ppc
@@ -3231,6 +3231,7 @@ CONFIG_KEYS=y
# CONFIG_ENCRYPTED_KEYS is not set
# CONFIG_SECURITY_DMESG_RESTRICT is not set
CONFIG_SECURITY=y
+CONFIG_PAGE_TABLE_ISOLATION=n
CONFIG_SECURITYFS=y
# CONFIG_SECURITY_NETWORK is not set
# CONFIG_SECURITY_PATH is not set
diff --git a/main/linux-vanilla/config-vanilla.ppc64le b/main/linux-vanilla/config-vanilla.ppc64le
index 80f93a3f7e..42b6a9b861 100644
--- a/main/linux-vanilla/config-vanilla.ppc64le
+++ b/main/linux-vanilla/config-vanilla.ppc64le
@@ -3554,6 +3554,7 @@ CONFIG_ENCRYPTED_KEYS=m
CONFIG_KEY_DH_OPERATIONS=y
# CONFIG_SECURITY_DMESG_RESTRICT is not set
CONFIG_SECURITY=y
+CONFIG_PAGE_TABLE_ISOLATION=n
CONFIG_SECURITYFS=y
# CONFIG_SECURITY_NETWORK is not set
# CONFIG_SECURITY_PATH is not set
diff --git a/main/linux-vanilla/config-vanilla.s390x b/main/linux-vanilla/config-vanilla.s390x
index b10273bb67..dce2540320 100644
--- a/main/linux-vanilla/config-vanilla.s390x
+++ b/main/linux-vanilla/config-vanilla.s390x
@@ -2725,6 +2725,7 @@ CONFIG_ENCRYPTED_KEYS=y
CONFIG_KEY_DH_OPERATIONS=y
# CONFIG_SECURITY_DMESG_RESTRICT is not set
CONFIG_SECURITY=y
+CONFIG_PAGE_TABLE_ISOLATION=n
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_NETWORK_XFRM=y
diff --git a/main/linux-vanilla/config-vanilla.x86 b/main/linux-vanilla/config-vanilla.x86
index 268987e0cb..39d03c67b9 100644
--- a/main/linux-vanilla/config-vanilla.x86
+++ b/main/linux-vanilla/config-vanilla.x86
@@ -6654,6 +6654,7 @@ CONFIG_ENCRYPTED_KEYS=m
CONFIG_KEY_DH_OPERATIONS=y
# CONFIG_SECURITY_DMESG_RESTRICT is not set
CONFIG_SECURITY=y
+CONFIG_PAGE_TABLE_ISOLATION=y
CONFIG_SECURITYFS=y
# CONFIG_SECURITY_NETWORK is not set
# CONFIG_SECURITY_PATH is not set
diff --git a/main/linux-vanilla/config-vanilla.x86_64 b/main/linux-vanilla/config-vanilla.x86_64
index 5154e33298..ff573f97f6 100644
--- a/main/linux-vanilla/config-vanilla.x86_64
+++ b/main/linux-vanilla/config-vanilla.x86_64
@@ -6701,6 +6701,7 @@ CONFIG_ENCRYPTED_KEYS=m
CONFIG_KEY_DH_OPERATIONS=y
# CONFIG_SECURITY_DMESG_RESTRICT is not set
CONFIG_SECURITY=y
+CONFIG_PAGE_TABLE_ISOLATION=y
CONFIG_SECURITYFS=y
# CONFIG_SECURITY_NETWORK is not set
# CONFIG_SECURITY_PATH is not set
--
2.15.0
---
Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org
Help: alpine-aports+help@lists.alpinelinux.org
---