On Fri, 2024-06-14 at 14:07 +0200, Maite Gamper wrote: > Hello, > > On 09.06.24 16:21, Ansgar 🙀 wrote: [...] > > > > As I said before > > (https://lists.debian.org/debian-devel/2024/05/msg00302.html): > > > > If you look at https://release.debian.org/testing/arch_qualify.html > > there is at least several things that can be done: > > > > 1. Add CPU security mitigations to Linux kernel. > > CPU mitigations exist in the PAE kernel that is at least supported on an > Intel Pentium PRO (and on Pentium M's with forcepae, to my knowledge). [...]
You're thinking about the NX or XD bit, which was introduced with AMD64 but is also supported by some later 32-bit-only CPUs. But I believe Ansgar was referring to mitigation of speculative execution vulnerabilities. Mitigations in the Linux kernel usually require assembly-language code that is written for 64-bit mode and would require extra work (that does not happen) to cover 32-bit builds. as well. While "Meltdown" was eventually mitigated in 32-bit builds that change was never backported in stable updates, so Debian 8 and 9 on i386 remained vulnerable. However, these vulnerabilities aren't only a problem for i386. Many speculative execution mitigations depend at least partly on updated microcode which can only be provided by the manufacturer. CPU support lifetimes can be quite short; for example compare the Launch Date and End of Servicing Updates Date on <https://ark.intel.com/content/www/us/en/ark/products/189122/intel-core-i7-9800x-x-series-processor-16-5m-cache-up-to-4-50-ghz.html>. (I can't find similar published information from AMD but there's a vague general statement at the bottom of <https://www.amd.com/en/resources/product-security/support-policy.html>.) I also don't think these vulnerabilities are likely to be a practical concern for people using 32-bit-only CPUs. But we definitely should discourage users from using i386 kernel packages on 64-bit-capable hardware, if we don't drop them entirely. I keep meaning to implement a boot-time warning about that... Ben. -- Ben Hutchings Never put off till tomorrow what you can avoid all together.
signature.asc
Description: This is a digitally signed message part
