On Sat, Jan 06, 2018 at 09:20:50PM +0800, Alex Vong wrote:
> I hope this is on topic. Recently, 2 critical vulnerabilities (see
> https://meltdownattack.com/) affecting virtually all intel cpus are
> discovered. I am running libreboot x200 (see
> https://www.fsf.org/ryf).

> What should I do right now to patch my laptop?

### What to do now ###

Assuming you are running GuixSD, do this as root to update your kernel:

# guix pull && guix system reconfigure path/to/config.scm && reboot

If you are running another distro, update the kernel in the normal way.
Take any updates to your web browser packages on that distro.

### Who is affected? ###

I'd like to clarify that these issues are not limited to Intel CPUs.
They affect any CPU that executes out-of-order, which is almost all of
them for several years now.

Some of the very slow and simple ARM CPUs execute in-order and are not
affected.

Please consult the chip makers for more detail.

### Guix status ###

The CPU makers are issuing microcode updates as a hardware-level
mitigation, but I don't think we'll be providing those in Guix.

The first mitigations available in Guix are in the kernel.

We got the initial mitigation for Meltdown, Linux page table isolation
(KPTI), in linux-libre 4.14.11 on January 3:

https://git.savannah.gnu.org/cgit/guix.git/commit/?id=10db5e98ed7036e873060501462345c37fe2855c

Last night we got KPTI for the 4.4 and 4.9 kernel series, in 4.4.110 and
4.9.75, respectively. At the same time, we made 4.14.12 available, which
has some changes to KPTI in that kernel:

4.4.110:
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=630437d94eeeae52586ab2362aa4273e0424cdf3
4.9.75:
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=f2462bc3662733801d7df7c532c1d8b0c67b3c18
4.14.12:
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=af3f7f22f43fbbdca9bdc00afc476dd2ac86c017

The primary Linux stable kernel maintainer, Greg Kroah-Hartman, has more
details about these problems, what Linux is doing about them, and what
you can expect from them next:

http://kroah.com/log/blog/2018/01/06/meltdown-status/

The Spectre bugs have to be fixed per-application for now. As far as I
know, we haven't made any related changes to packages besides
linux-libre.

Mozilla has released an update that is supposed to mitigate the
vulnerability but I don't if they'll be porting it back to the extended
support release that Icecat is based on.