Qubes Kernel with Retpoline and IBRS patches
103 views
Skip to first unread message
Reg Tiangha
Jan 13, 2018, 1:15:19 PM1/13/18
to qubes...@googlegroups.com
Hey everyone,
I managed to get the Retpoline and IBRS kernel patches off the LKML
working on Qubes (I also included the Linux-Hardened Project patches in
there too), so I figured I'd share my work. I have a branch here for
anyone that wants to play around with it:
https://github.com/rtiangha/qubes-linux-kernel/tree/devel-4.14-hard
I also included instructions on how to backport a Retpoline-enabled gcc
version to Fedora 25, but it should build fine using the standard Fedora
25 toolchain as well.
For now, the Retpoline patches are at version 6, and the IBRS patches
are at version 3. There is a version 8 of the Retpoline patches, but it
patches against and relies on a few functions that are only present in
the 4.15 branch at the moment, so I wasn't comfortable in trying to
backport things, especially if that functionality will eventually appear
in a future version of 4.14.
I'm just providing it as-is with no guarantees of support as things may
no longer be compatible as kernel versions increase and I don't have
much volunteer time to work on this and troubleshoot if things break.
But if I do find updated working combinations, I'll update the branch
accordingly (this is mainly for myself so I'm the guinea pig).
- Reg
I managed to get the Retpoline and IBRS kernel patches off the LKML
working on Qubes (I also included the Linux-Hardened Project patches in
there too), so I figured I'd share my work. I have a branch here for
anyone that wants to play around with it:
https://github.com/rtiangha/qubes-linux-kernel/tree/devel-4.14-hard
I also included instructions on how to backport a Retpoline-enabled gcc
version to Fedora 25, but it should build fine using the standard Fedora
25 toolchain as well.
For now, the Retpoline patches are at version 6, and the IBRS patches
are at version 3. There is a version 8 of the Retpoline patches, but it
patches against and relies on a few functions that are only present in
the 4.15 branch at the moment, so I wasn't comfortable in trying to
backport things, especially if that functionality will eventually appear
in a future version of 4.14.
I'm just providing it as-is with no guarantees of support as things may
no longer be compatible as kernel versions increase and I don't have
much volunteer time to work on this and troubleshoot if things break.
But if I do find updated working combinations, I'll update the branch
accordingly (this is mainly for myself so I'm the guinea pig).
- Reg
Frédéric Pierret (fepitre)
Jan 14, 2018, 5:18:34 AM1/14/18
to qubes-devel
Thank you for your work. I'm also interested for my own work. Have you tested yourself the patches against a Spectre POC code?
Thank you again.
Frédéric
Reg Tiangha
Jan 14, 2018, 8:18:04 AM1/14/18
to qubes...@googlegroups.com
haven't had much time to test anything beyond some light regular usage.
But if one were to do this to themselves, they'd probably want to
compile the kernel with a retpoline-enabled version of gcc since not
doing so would only guard against one attack in one particular way (I
read what kind in an article somewhere but I've forgotten what it was)
and not everything it's supposed to guard against. So make sure to do
that first before testing any POC code.
Reg Tiangha
Jan 15, 2018, 12:15:59 AM1/15/18
to qubes...@googlegroups.com
I'm guessing that official support will be backported to 4.14 sooner
than I thought. No word yet on the IBRS patches, though. Regardless,
I'll keep an eye on this and will try to continue to update this branch
until it looks like everything important is merged in.
https://lwn.net/Articles/744305/
Reply all
Reply to author
Forward
0 new messages