# checking if I have installed retpoline or not......

## mikefot

Dear All,

I am running gentoo testing on an amd kaveri box.

My kernel is 4.14.14.

I notice from looking at these two articles:

https://www.phoronix.com/scan.php?page=news_item&px=Linux-4.9-4.14-Retpoline

and

https://www.neowin.net/news/retpoline-patch-coming-to-linux-49-and-linux-414

that I probably need at least gcc 7.3 or gcc 8.0 to make retpoline work at present.

I am currently running gcc 7.2.0.

Do I need to upgrade to 7.3 or higher?

Also are the KPTI and retpoline  (perhaps we could call it "ratholine" if it escapes being installed to easily) automatically turned in the kernel (I guess they have

added flags you would see when you run make menuconfig somewhere) when you compile it?

People in the debian community are also looking at this issue.

Comments appreciated.

Regards

Michael Fothergill

----------

## ryszardzonk

script from https://github.com/speed47/spectre-meltdown-checker is what You need

----------

## mike155

 *Quote:*   

> Do I need to upgrade to 7.3 or higher?

 

This is what you'll get with kernel 4.14.14 and GCC 6.4:

```
# cd /sys/devices/system/cpu/vulnerabilities/*

# for file in *; do echo "$file : $(tail -n1 $file)"; done

meltdown : Mitigation: PTI

spectre_v1 : Vulnerable

spectre_v2 : Vulnerable: Minimal generic ASM retpoline
```

And this is the output of kernel 4.14.14 compiled with GCC 7.3.0RC1:

```
# cd /sys/devices/system/cpu/vulnerabilities

# for file in *; do echo "$file : $(tail -n1 $file)"; done

meltdown : Mitigation: PTI

spectre_v1 : Vulnerable

spectre_v2 : Mitigation: Full generic retpoline 
```

----------

## mikefot

Many thanks for the advice here.

I ran the kernel checker as follows:

```
djt /home/mikef/spectre-meltdown-checker # ./spectre-meltdown-checker.sh

Spectre and Meltdown mitigation detection tool v0.32

Checking for vulnerabilities on current system

Kernel is Linux 4.14.14-gentoo #1 SMP Tue Jan 23 13:06:23 GMT 2018 x86_64

CPU is AMD A10-7850K Radeon R7, 12 Compute Cores 4C+8G

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'

* Mitigated according to the /sys interface:  NO  (kernel confirms your system is vulnerable)

> STATUS:  VULNERABLE  (Vulnerable)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'

* Mitigated according to the /sys interface:  NO  (kernel confirms your system is vulnerable)

* Mitigation 1

  * Hardware support (CPU microcode)

    * Indirect Branch Restricted Speculation (IBRS)

      * SPEC_CTRL MSR is available:  NO 

      * CPU indicates IBRS capability:  NO 

    * Indirect Branch Prediction Barrier (IBPB)

      * PRED_CMD MSR is available:  NO 

      * CPU indicates IBPB capability:  NO 

  * Kernel is compiled with IBRS/IBPB support:  NO 

  * Currently enabled features

    * IBRS enabled for Kernel space:  NO 

    * IBRS enabled for User space:  NO 

    * IBPB enabled:  NO 

* Mitigation 2

  * Kernel compiled with retpoline option:  YES 

  * Kernel compiled with a retpoline-aware compiler:  NO  (kernel reports minimal retpoline compilation)

  * Retpoline enabled:  YES 

> STATUS:  VULNERABLE  (Vulnerable: Minimal AMD ASM retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'

* Mitigated according to the /sys interface:  YES  (kernel confirms that your CPU is unaffected)

* Kernel supports Page Table Isolation (PTI):  YES 

* PTI enabled and active:  NO 

* Running under Xen PV (64 bits):  NO 

> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

A false sense of security is worse than no security at all, see --disclaimer

djt /home/mikef/spectre-meltdown-checker # 
```

I think I need to upgrade from gcc 7.2 to 7.3.

Cheers

MF

PS  The latest build for gcc that I can see here https://packages.gentoo.org/packages/sys-devel/gcc

is 7.2.0-r1

I am using it.

How do you install 7.3?

By hand from the gcc folks?

ie no build?

Cheers

OK, it's apparently coming soon:

ttps://www.phoronix.com/scan.php?page=news_item&px=GCC-7.3-In-January

----------

## NeddySeagoon

mikefot,

The kernel assemble code is fixed now.

The C code needs >=gcc-7.3

gcc-7.3-rc2 is on the GNU site now. gcc-7.3 may be released on 25 Jan.  Its unlikely to be in Gentoo then but I'm sure the toolchain team know about it.

----------

## mikefot

Many thanks for all the suggestions here.

I think I will wait until build file is created either for 7.3 rc1 or 7.3 proper.

Installing from gcc from a tar file sounds potentially untidy to me.

Doing it for printer driver is OK I think but for gcc I would prefer a build file.

In Debian sid there you can now install gcc 7.3 rc1 as a deb file apparently I am told.

If you would then use the debian manual kernel compilation recipe they have that should in theory also work for kernel 4.14.14 that I currently have.

So they are also moving toward solutions for this particular patch.

Cheers

MF

PS

I have noticed that an entry for gcc 7.3 has appeared on the gentoo gcc webpage:

https://packages.gentoo.org/packages/sys-devel/gcc

It is not listed as being readied as an amd64 version of the build etc.

I tried doing the oneshot command and didn't see it.

What would be the command to emerge it?

Should I wait a little bit before trying?

----------

## Tony0945

Mikefot, some different results here with 4.14.15 and gcc 6.4.0

```
 cat /sys/devices/system/cpu/vulnerabilities/*

Not affected

Vulnerable

Vulnerable: Minimal AMD ASM retpoline

 uname -a

Linux gentoo.MsHome 4.14.15-gentoo #5 SMP Wed Jan 31 07:00:13 CST 2018 x86_64 AMD A8-7600 Radeon R7, 10 Compute Cores 4C+6G AuthenticAMD GNU/Linux

```

----------

## mikefot

Dear Tony,

Here is a comparison with gcc 7.2 and 7.3 compilations:

```
djt /home/mikef/spectre-meltdown-checker # cat /proc/version

Linux version 4.14.14-gentoo (root@djt) (gcc version 7.2.0 (Gentoo 7.2.0-r1)) #1 SMP Tue Jan 23 13:06:23 GMT 2018

```

Here is a useful bit of the output from the spectre patch checker:

​

```
* Mitigation 2

  * Kernel compiled with retpoline option:  YES

  * Kernel compiled with a retpoline-aware compiler:  NO  (kernel reports minimal retpoline compilation)

  * Retpoline enabled:  YES

> STATUS:  VULNERABLE  (Vulnerable: Minimal AMD ASM retpoline)
```

​As can be seen here, the compiler I used to create this kernel was not recent enough to make retpoline work.

Since I now have gcc 7.3 installed I then ran it again to see if I could change the NO in

  "

```
* Kernel compiled with a retpoline-aware compiler:  NO  (kernel reports minimal retpoline compilation)"

```

to YES.....

```
djt /home/mikef # cat /proc/version

Linux version 4.14.15-gentoo (root@djt) (gcc version 7.3.0 (Gentoo 7.3.0)) #1 SMP Tue Jan 30 16:22:47 GMT 2018

```

and now the spectre kernel checker says the following:

```
* Mitigation 2

  * Kernel compiled with retpoline option:  YES

  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)

  * Retpoline enabled:  YES

> STATUS:  NOT VULNERABLE  (Mitigation: Full AMD retpoline)
```

Cheers

MF

----------

