On Wednesday, 31 January 2018 12:20:51 GMT Nikos Chantziaras wrote: > On 31/01/18 14:04, Mick wrote: > > Just to dilute my confusion on what I should do to keep desktops safe(r), > > would someone please clarify: > > > > Is it necessary to keyword gcc 7.3 + kernel 4.15 and emerge kernel 4.15 > > with gcc 7.3, or wait until these versions have been stabilised in the > > tree? > > > > What gcc version shall I use to update @world from then on? > > > > PS. Some desktops are Intel, some are AMD and I also have 3-4 devices with > > ARM in them ... > > At the moment, you do need GCC 7.3. However, there is talk about these > new flags being ported to GCC 6 and possibly even older versions. > > As for the kernel, you don't need 4.15. 4.14 is the latest LTS kernel, > and it has the needed patches. I think 4.9 (the previous LTS kernel) has > them too. > > Currently, once you enable CONFIG_RETPOLINE in the kernel config and > rebuild with GCC 7.3, you should have all currently available kernel > mitigations. Which currently are: > > $ cat /sys/devices/system/cpu/vulnerabilities/* > Mitigation: PTI > Vulnerable > Mitigation: Full generic retpoline > > However, improvements to these mitigations will from now on happen for > kernel 4.16 first and backported later. 4.16 for example got mitigations > for ARM. It's how kernel upstream works; new stuff is done in the > current development version, and backported later to still supported > versions.
Thanks Nikos, I'm presently on 4.14.14, so I can update this to 4.14.15 and compile it with gcc-7.3; then pick up future improvements as part of gentoo- sources updates when kernels start being marked as stable. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
