From mboxrd@z Thu Jan  1 00:00:00 1970
From: Mark H Weaver <mhw@netris.org>
Subject: Re: What do Meltdown and Spectre mean for libreboot x200 user?
Date: Sat, 06 Jan 2018 12:23:51 -0500
Message-ID: <87efn2j3yw.fsf@netris.org>
References: <874lnzcedp.fsf@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:36859)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1eXsCk-00072l-78
	for guix-devel@gnu.org; Sat, 06 Jan 2018 12:24:23 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1eXsCh-0007xj-2j
	for guix-devel@gnu.org; Sat, 06 Jan 2018 12:24:22 -0500
Received: from world.peace.net ([50.252.239.5]:48916)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <mhw@netris.org>) id 1eXsCg-0007xL-UI
	for guix-devel@gnu.org; Sat, 06 Jan 2018 12:24:19 -0500
In-Reply-To: <874lnzcedp.fsf@gmail.com> (Alex Vong's message of "Sat, 06 Jan
	2018 21:20:50 +0800")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Alex Vong <alexvong1995@gmail.com>
Cc: development@libreboot.org, guix-devel@gnu.org

Hi Alex,

Alex Vong <alexvong1995@gmail.com> writes:
> I hope this is on topic. Recently, 2 critical vulnerabilities (see
> https://meltdownattack.com/) affecting virtually all intel cpus are
> discovered. I am running libreboot x200 (see
> https://www.fsf.org/ryf). What should I do right now to patch my laptop?

I haven't yet had time to properly study this, but so far I'd strongly
recommend updating to linux-libre-4.14.12, which contains an important
mitigation called kernel page-table isolation (KPTI).
linux-libre-4.9.75 also contains backported mitigations, but I'm not
sure if they're as comprehensive.

Alan Cox also says that Javascript can be used to remotely exploit these
vulnerabilities, so you should use the NoScript web browser extension if
you're not already doing so.  Enable Javascript only when you must.  He
wrote:

  What you do need to care about _big_ _time_ is javascript because the
  exploit can be remotely used by javascript on web pages to steal stuff
  from your system memory. Mozilla and Chrome both have pending
  updates. and some recommendations about protection. Also consider
  things like Adblockers and extensions like noscript that can stop a
  lot of junk running in the first place. Do that ASAP.

  https://plus.google.com/+AlanCoxLinux/posts/Z6inLSq4iqH

We (GNU Guix developers) should also start investigating how to deploy
the "Retpoline" mitigation technique, which apparently involves patching
our linker and recompiling our entire system with it, but it will take
some time to do that.

  https://support.google.com/faqs/answer/7625886

      Mark