integ/kernel-std
Jim Somerville 50a9ff6df4 Kernel Upgrades for Meltdown and Spectre
The kernel is moved ahead to version 3.10.0-693.21.1.el7

To summarize:

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
This is fixed by load fences and is "baked in" and cannot
be turned off.

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
This is fixed by a combination of retpolines and IBPB, or
IBRS+IBPB if on skylake.  This requires a microcode change in
the processors.  This feature, if on, has a significant performance
impact.  It is assumed on unless turned off via the
"nospectre_v2" bootarg.

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
This is fixed by page table isolation using the Kaiser patches.
This feature is assumed on unless turned off via the
"nopti" bootarg.

As of the commit date, we have changed the installer kickstarts
to issue both "nopti nospectre_v2" bootargs to minimize realtime
impacts by default.  The customer will be able to optionally
sacrifice performance for extra security at datafill time.

Change-Id: Id7c99923f2ee2ee91f77c7bd9940e684eff8b476
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
2018-06-22 12:53:11 -04:00
..
centos Kernel Upgrades for Meltdown and Spectre 2018-06-22 12:53:11 -04:00
files StarlingX open source release updates 2018-05-31 07:36:35 -07:00