System Z {kernel} UBUNTU18.04 wrong kernel config
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
Critical
|
Canonical Kernel Team | ||
linux (Ubuntu) |
Fix Released
|
Critical
|
Seth Forshee |
Bug Description
Kernel config 4.15.0-13-generic #14 (and same for 4.15.0-15-generic) is not OK, because both security mechanisms nobp AND expoline are enabled:
CONFIG_
CONFIG_EXPOLINE=y
# CONFIG_EXPOLINE_OFF is not set
# CONFIG_
CONFIG_
If the kernel is compiled with a gcc that can generate expoline thunks the correct config is as follows:
# CONFIG_KERNEL_NOBP is not set
CONFIG_EXPOLINE=y
# CONFIG_EXPOLINE_OFF is not set
# CONFIG_
CONFIG_
Alternatively the auto-detection patch can be used which is upstream as of today:
commit 6e179d64126b909
s390: add automatic detection of the spectre defense
Automatically decide between nobp vs. expolines if the spectre_v2=auto
kernel parameter is specified or CONFIG_
The decision made at boot time due to CONFIG_
can be overruled with the nobp, nospec and spectre_v2 kernel parameters.
If this patch is used, then the correct config is
# CONFIG_KERNEL_NOBP is not set
CONFIG_EXPOLINE=y
# CONFIG_EXPOLINE_OFF is not set
CONFIG_
# CONFIG_
This patch goes together with three others, so a total of four patches would be needed for the latest-and-greated solution:
b2e2f43a01bace1
6e179d64126b909
bc035599718412c
d424986f1d6b160
tags: | added: architecture-s39064 bugnameltc-166584 severity-critical targetmilestone-inin--- |
Changed in ubuntu: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
affects: | ubuntu → linux (Ubuntu) |
Changed in ubuntu-z-systems: | |
status: | New → Triaged |
importance: | Undecided → Critical |
assignee: | nobody → Canonical Kernel Team (canonical-kernel-team) |
tags: |
added: targetmilestone-inin1804 removed: targetmilestone-inin--- |
Changed in linux (Ubuntu): | |
assignee: | Skipper Bug Screeners (skipper-screen-team) → Seth Forshee (sforshee) |
status: | New → In Progress |
Changed in ubuntu-z-systems: | |
status: | Triaged → In Progress |
Changed in ubuntu-z-systems: | |
status: | In Progress → Fix Committed |
Changed in ubuntu-z-systems: | |
status: | Fix Committed → Fix Released |
tags: | added: cscc |
Cherry picked the auto-detection patches into bionic, set CONFIG_ EXPOLINE_ AUTO=y and CONFIG_ KERNEL_ NOBP=n.