12374 – CONFIG_RETPOLINE is disabled on aarch64 and armv5tel

Bug 12374 - CONFIG_RETPOLINE is disabled on aarch64 and armv5tel

Summary: CONFIG_RETPOLINE is disabled on aarch64 and armv5tel

Status:	CLOSED ERRATA

Alias:	None

Product:	IPFire
Classification:	Unclassified
Component:	--- (show other bugs)
Version:	2
Hardware:	unspecified All

Importance:	Will only affect a few users Security
Assignee:	Peter Müller
QA Contact:

URL:
Keywords:

Depends on:
Blocks:	KERNSEC
	Show dependency tree / graph

Reported:	2020-04-14 15:39 UTC by Peter Müller
Modified:	2022-07-28 13:58 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Peter Müller 2020-04-14 15:39:26 UTC

Quote from https://capsule8.com/blog/kernel-configuration-glossary/:

> Significance: High
> 
> Compile kernel with the retpoline compiler options to guard against
> kernel-to-user data leaks by avoiding speculative indirect branches. Requires
> a compiler with -mindirect-branch=thunk-extern support for full protection.
> The kernel may run slower. (duh!)

Comment 1 Peter Müller 2020-06-09 17:24:52 UTC

https://patchwork.ipfire.org/patch/3173/

Comment 2 Peter MÃ¼ller 2022-07-28 13:58:32 UTC

Retpoline is not available on any architecture besides x86. Silly me.