From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: Meltdown / Spectre
Date: Sat, 6 Jan 2018 12:43:58 -0500
Message-ID: <20180106174358.GA28436@jasmine.lan>
References: <874lnzcedp.fsf@gmail.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="LZvS9be/3tNcYl/X"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:49641)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1eXsVr-0003xE-32
	for guix-devel@gnu.org; Sat, 06 Jan 2018 12:44:08 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1eXsVm-0004YT-Om
	for guix-devel@gnu.org; Sat, 06 Jan 2018 12:44:07 -0500
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:37607)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <leo@famulari.name>) id 1eXsVm-0004XS-E2
	for guix-devel@gnu.org; Sat, 06 Jan 2018 12:44:02 -0500
Content-Disposition: inline
In-Reply-To: <874lnzcedp.fsf@gmail.com>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Alex Vong <alexvong1995@gmail.com>
Cc: development@libreboot.org, guix-devel@gnu.org


--LZvS9be/3tNcYl/X
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Sat, Jan 06, 2018 at 09:20:50PM +0800, Alex Vong wrote:
> I hope this is on topic. Recently, 2 critical vulnerabilities (see
> https://meltdownattack.com/) affecting virtually all intel cpus are
> discovered. I am running libreboot x200 (see
> https://www.fsf.org/ryf).

> What should I do right now to patch my laptop?

### What to do now ###

Assuming you are running GuixSD, do this as root to update your kernel:

# guix pull && guix system reconfigure path/to/config.scm && reboot

If you are running another distro, update the kernel in the normal way.
Take any updates to your web browser packages on that distro.

### Who is affected? ###

I'd like to clarify that these issues are not limited to Intel CPUs.
They affect any CPU that executes out-of-order, which is almost all of
them for several years now.

Some of the very slow and simple ARM CPUs execute in-order and are not
affected.

Please consult the chip makers for more detail.

### Guix status ###

The CPU makers are issuing microcode updates as a hardware-level
mitigation, but I don't think we'll be providing those in Guix.

The first mitigations available in Guix are in the kernel.

We got the initial mitigation for Meltdown, Linux page table isolation
(KPTI), in linux-libre 4.14.11 on January 3:

https://git.savannah.gnu.org/cgit/guix.git/commit/?id=10db5e98ed7036e873060501462345c37fe2855c

Last night we got KPTI for the 4.4 and 4.9 kernel series, in 4.4.110 and
4.9.75, respectively. At the same time, we made 4.14.12 available, which
has some changes to KPTI in that kernel:

4.4.110:
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=630437d94eeeae52586ab2362aa4273e0424cdf3
4.9.75:
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=f2462bc3662733801d7df7c532c1d8b0c67b3c18
4.14.12:
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=af3f7f22f43fbbdca9bdc00afc476dd2ac86c017

The primary Linux stable kernel maintainer, Greg Kroah-Hartman, has more
details about these problems, what Linux is doing about them, and what
you can expect from them next:

http://kroah.com/log/blog/2018/01/06/meltdown-status/

The Spectre bugs have to be fixed per-application for now. As far as I
know, we haven't made any related changes to packages besides
linux-libre.

Mozilla has released an update that is supposed to mitigate the
vulnerability but I don't if they'll be porting it back to the extended
support release that Icecat is based on.

--LZvS9be/3tNcYl/X
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlpRCtsACgkQJkb6MLrK
fwhDhhAApHFfhPsHr6Vxg2tKLlPvOSkpS9xWSbvovx0xgSHkz26nWi3+ihS83XY1
rEjEgDZxBrQpQfj6UQ1E0ChFLPMwhlriHNQF/zwjy/crnitwjuaxroJJIehma/5Q
GXU8bya5NaS/gpRhlMYUpTmlJ3pXmNaUVUa6MHtrIW4cAyPZrOeIn/k65bgdVJUL
ejHeZWejyjLuScy4AIwE1jAezQF+LiNBaV9P6tDB4pB/3jfXaNNSMbCsHnewbIBI
zvfVsKIX+3eDczU6sDvlA+8RNt0OxNeGfx49nQL+REi6bnzDzxxM7aZVjeIjb4HA
BUGH0HYkH1UuOx4mAEgFMDqvQ40M9bRUghG59+G+2/CBbilP9V4GWXNZ05U7eIzu
6OzGnbgOK/DNvBGUtUPVGfsObdtPIQEVEUVLcKe0I9fde398rACypcE3A2B9B1y6
GrexApa+vfMUToRulflJL2sY5tQhbNCxH34V3bQIYZYajFFTFrRYFyEBGvxvTVDF
Aul6nvqJf8hgbVTL8rapCat3qIb429PnXD3GlYBbPO2kPexpsd++xfMtb0OwUL9a
enrlPophV2xP2mfChSz/nZjYwZhYogUYPpvi2+UOKrtBkrUNMZonCLb4P+6cBSwk
iw+5NoYSIsM11WCQ00LXfjY3NT8+SUcsVpcoDDSUpZOEAWKlfUU=
=57HA
-----END PGP SIGNATURE-----

--LZvS9be/3tNcYl/X--