From 4bcca095908575ddd797ec049278074a3f4ebff6 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Arkadiusz=20Mi=C5=9Bkiewicz?= Date: Wed, 17 Jan 2018 12:10:28 +0100 Subject: [PATCH] - up to 4.9.77; SECURITY: adds retpoline which mitigates Spectre variant 2 attack --- kernel-x86.config | 34 +++++++++++++++++++++++++++------- kernel.spec | 8 ++++---- 2 files changed, 31 insertions(+), 11 deletions(-) diff --git a/kernel-x86.config b/kernel-x86.config index cfb6dd77..04875b80 100644 --- a/kernel-x86.config +++ b/kernel-x86.config @@ -19,6 +19,7 @@ SMP x86=y X86_X2APIC all=y X86_MPPARSE x86=y X86_BIGSMP i386=y +RETPOLINE x86=y X86_EXTENDED_PLATFORM i386=y x86_64=y X86_NUMACHIP all=n X86_VSMP x86_64=n @@ -60,6 +61,7 @@ X86_MCE_INTEL all=y X86_MCE_AMD all=y X86_ANCIENT_MCE all=y X86_MCE_INJECT x86=m +#- file arch/x86/events/Kconfig goes here X86_LEGACY_VM86 i386=n VM86 i386=y X86_VSYSCALL_EMULATION x86=y @@ -148,17 +150,13 @@ RAPIDIO all=y IA32_EMULATION x86_64=y IA32_AOUT x86_64=y X86_X32 x86_64=y -VMD all=m #- file net/Kconfig goes here #- file drivers/Kconfig goes here #- file drivers/firmware/Kconfig goes here #- file fs/Kconfig goes here #- file arch/x86/Kconfig.debug goes here -#- -#- *** FILE: security/Kconfig *** -#- +#- file kernel/vserver/Kconfig goes here #- file security/Kconfig goes here -PAGE_TABLE_ISOLATION x86_64=y #- file crypto/Kconfig goes here #- file arch/x86/kvm/Kconfig goes here #- file lib/Kconfig goes here @@ -295,7 +293,6 @@ GPIO_STA2X11 all=y #- *** FILE: drivers/iommu/Kconfig *** #- AMD_IOMMU x86_64=y -AMD_IOMMU_STATS x86_64=n #- #- *** FILE: drivers/media/pci/sta2x11/Kconfig *** @@ -316,6 +313,11 @@ V4L_RADIO_ISA_DRIVERS all=y NET_VENDOR_CIRRUS all=y CS89x0_PLATFORM all=y +#- +#- *** FILE: drivers/pci/host/Kconfig *** +#- +VMD all=m + #- #- *** FILE: drivers/staging/comedi/Kconfig *** #- @@ -363,7 +365,6 @@ DEBUG_STACKOVERFLOW x86=n #- file lib/Kconfig.kmemcheck goes here #- file lib/Kconfig.kasan goes here KCOV all=n -DEBUG_STRICT_USER_COPY_CHECKS x86=n #- file kernel/trace/Kconfig goes here MEMTEST x86=n #- file samples/Kconfig goes here @@ -377,3 +378,22 @@ IO_STRICT_DEVMEM x86=y #- ARCH_USES_HIGH_VMA_FLAGS all=y ARCH_HAS_PKEYS all=y + +#- +#- *** FILE: security/Kconfig *** +#- +#- file security/keys/Kconfig goes here +PAGE_TABLE_ISOLATION x86_64=y +#- file security/selinux/Kconfig goes here +#- file security/smack/Kconfig goes here +#- file security/tomoyo/Kconfig goes here +#- file security/apparmor/Kconfig goes here +#- file security/loadpin/Kconfig goes here +#- file security/yama/Kconfig goes here +#- file security/integrity/Kconfig goes here + +#- +#- *** PROBABLY REMOVED OPTIONS *** +#- +AMD_IOMMU_STATS x86_64=n +DEBUG_STRICT_USER_COPY_CHECKS x86=n diff --git a/kernel.spec b/kernel.spec index 35fd9a6b..4e8a7699 100644 --- a/kernel.spec +++ b/kernel.spec @@ -71,9 +71,9 @@ %define have_pcmcia 0 %endif -%define rel 4 +%define rel 1 %define basever 4.9 -%define postver .76 +%define postver .77 # define this to '-%{basever}' for longterm branch %define versuffix -%{basever} @@ -125,7 +125,7 @@ Source0: https://www.kernel.org/pub/linux/kernel/v4.x/linux-%{basever}.tar.xz # Source0-md5: 0a68ef3615c64bd5ee54a3320e46667d %if "%{postver}" != ".0" Patch0: https://www.kernel.org/pub/linux/kernel/v4.x/patch-%{version}.xz -# Patch0-md5: 3cb57f9904fdd7a1e277ad76e70c9a3c +# Patch0-md5: c3efd958632ac0ec812206a359ee530e %endif Source1: kernel.sysconfig @@ -242,7 +242,7 @@ BuildRequires: binutils >= 3:2.18 BuildRequires: elftoaout %endif BuildRequires: elfutils-devel -BuildRequires: gcc >= 5:3.2 +BuildRequires: gcc >= 6:7.2.0-6 BuildRequires: hostname BuildRequires: kmod >= 12-2 BuildRequires: openssl-devel -- 2.44.0