~alpine/devel

[alpine-devel] linux kernel packages and meltdown/spectre

William Pitcock <nenolod@dereferenced.org>
Details
Message ID
<CA+T2pCEFBso4ZsDjyKzZXJJ9wO6t_0ap_5LP2tNb3NqJ3Chcpw@mail.gmail.com>
Sender timestamp
1515643264
DKIM signature
missing
Download raw message
Hello,

We have received many inquiries about what our plans are for Meltdown
and Spectre.

Specifically, we have received many questions about timelines for
deploying the "KPTI" backports to our own kernel images by upgrading
to latest 4.4 and 4.9 stable kernels.

We have been working on this, but have discovered that there were
serious reliability patches with these "backports", largely because in
reality the mitigation "backported" was actually a derivative of an
earlier mitigation called KAISER.  We have observed that KAISER had
major reliability issues in private testing of the new kernels.

Natanael recently pushed 4.9.76 linux-vanilla kernel to edge for
public testing and that also verified that there were still
regressions in the release that was supposed to fix the regressions in
4.9.75.  Accordingly, we are lead to believe that the situation is not
likely to get better with trying to fix KAISER any time soon.  In
addition, it was posted to Hacker News that KAISER has severe design
defects that neither the real KPTI or unpatched kernels have[1].

As such, for vanilla our plan is to upgrade all kernels to 4.14.13
which have the real KPTI mitigation.  This has already been done in
edge, please test the -vanilla kernel if you can!

We are still working out the specifics of how to handle
linux-hardened, but current research indicates that changes to PaX
will be required to do the same style of mitigation.  As we are
incapable of doing these changes ourselves at this time, we are
planning to migrate linux-hardened users to linux-vanilla in a future
update.  We are presently working out the exact plans to do this, as
well as to introduce missing modules and kernel variants (-virt kernel
profile) that are missing in linux-vanilla.

Once linux-vanilla is at feature parity (in terms of modules and
kernel variants offered) we will do this transition in edge.  After
the transition plan is proven stable in edge, we will push it to the
supported releases.

A common question is whether or not we will be keeping the
linux-hardened and linux-grsec packages themselves around in the
release branches.  At present we have not made this conclusion.  The
reality, however, is that backporting security fixes to the hardened
kernel is now a lot more difficult due to the introduction of KAISER
as a mitigation in the LTS branches, so most likely we will drop it
since we feel it would be irresponsible to carry a package that has
known vulnerabilities while also claiming it has enhanced security
features.

William

[1]: https://news.ycombinator.com/item?id=16087736


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Reply to thread Export thread (mbox)