------- Comment From martin.schwidef...@de.ibm.com 2018-04-11 12:11 EDT------- > Cherry picked the auto-detection patches into bionic, set > CONFIG_EXPOLINE_AUTO=y and CONFIG_KERNEL_NOBP=n.
You sure are quick.. Unfortunately there is a bug in the auto-detection which is solved by a patch I created today. It can be found on the s390/linux:features branch on kernel.org: https://git.kernel.org/pub/scm/linux/kernel/git/s390/linux.git/commit/?h=features&id=6a3d1e81a434fc311f224b8be77258bafc18ccc6 I plan to send a please-pull for this by the end of the week. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1762719 Title: System Z {kernel} UBUNTU18.04 wrong kernel config Status in Ubuntu on IBM z Systems: Fix Committed Status in linux package in Ubuntu: Fix Committed Bug description: Kernel config 4.15.0-13-generic #14 (and same for 4.15.0-15-generic) is not OK, because both security mechanisms nobp AND expoline are enabled: CONFIG_KERNEL_NOBP=y CONFIG_EXPOLINE=y # CONFIG_EXPOLINE_OFF is not set # CONFIG_EXPOLINE_MEDIUM is not set CONFIG_EXPOLINE_FULL=y If the kernel is compiled with a gcc that can generate expoline thunks the correct config is as follows: # CONFIG_KERNEL_NOBP is not set CONFIG_EXPOLINE=y # CONFIG_EXPOLINE_OFF is not set # CONFIG_EXPOLINE_MEDIUM is not set CONFIG_EXPOLINE_FULL=y Alternatively the auto-detection patch can be used which is upstream as of today: commit 6e179d64126b909f0b288fa63cdbf07c531e9b1d s390: add automatic detection of the spectre defense Automatically decide between nobp vs. expolines if the spectre_v2=auto kernel parameter is specified or CONFIG_EXPOLINE_AUTO=y is set. The decision made at boot time due to CONFIG_EXPOLINE_AUTO=y being set can be overruled with the nobp, nospec and spectre_v2 kernel parameters. If this patch is used, then the correct config is # CONFIG_KERNEL_NOBP is not set CONFIG_EXPOLINE=y # CONFIG_EXPOLINE_OFF is not set CONFIG_EXPOLINE_AUTO=y # CONFIG_EXPOLINE_FULL is not set This patch goes together with three others, so a total of four patches would be needed for the latest-and-greated solution: b2e2f43a01bace1a25bdbae04c9f9846882b727a 6e179d64126b909f0b288fa63cdbf07c531e9b1d bc035599718412cfba9249aa713f90ef13f13ee9 d424986f1d6b16079b3231db0314923f4f8deed1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1762719/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
