integ

History

Jim Somerville 50a9ff6df4 Kernel Upgrades for Meltdown and Spectre The kernel is moved ahead to version 3.10.0-693.21.1.el7 To summarize: CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1' This is fixed by load fences and is "baked in" and cannot be turned off. CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2' This is fixed by a combination of retpolines and IBPB, or IBRS+IBPB if on skylake. This requires a microcode change in the processors. This feature, if on, has a significant performance impact. It is assumed on unless turned off via the "nospectre_v2" bootarg. CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3' This is fixed by page table isolation using the Kaiser patches. This feature is assumed on unless turned off via the "nopti" bootarg. As of the commit date, we have changed the installer kickstarts to issue both "nopti nospectre_v2" bootargs to minimize realtime impacts by default. The customer will be able to optionally sacrifice performance for extra security at datafill time. Change-Id: Id7c99923f2ee2ee91f77c7bd9940e684eff8b476 Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>	2018-06-22 12:53:11 -04:00
..
centos	Kernel Upgrades for Meltdown and Spectre	2018-06-22 12:53:11 -04:00
files	StarlingX open source release updates	2018-05-31 07:36:35 -07:00

Jim Somerville 50a9ff6df4 Kernel Upgrades for Meltdown and Spectre

The kernel is moved ahead to version 3.10.0-693.21.1.el7

To summarize:

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
This is fixed by load fences and is "baked in" and cannot
be turned off.

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
This is fixed by a combination of retpolines and IBPB, or
IBRS+IBPB if on skylake.  This requires a microcode change in
the processors.  This feature, if on, has a significant performance
impact.  It is assumed on unless turned off via the
"nospectre_v2" bootarg.

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
This is fixed by page table isolation using the Kaiser patches.
This feature is assumed on unless turned off via the
"nopti" bootarg.

As of the commit date, we have changed the installer kickstarts
to issue both "nopti nospectre_v2" bootargs to minimize realtime
impacts by default.  The customer will be able to optionally
sacrifice performance for extra security at datafill time.

Change-Id: Id7c99923f2ee2ee91f77c7bd9940e684eff8b476
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>

2018-06-22 12:53:11 -04:00

centos

Kernel Upgrades for Meltdown and Spectre

2018-06-22 12:53:11 -04:00

files

StarlingX open source release updates

2018-05-31 07:36:35 -07:00