Backport of KPTI to 2.6.32 available

Backport of KPTI to 2.6.32 available

[Corey Minyard]

I've completed a backport of KPTI from linux-stable-3.2.y to 2.6.32.71, in
case anyone is interested and wants to avoid all the work I went through.
It's available at:

https://github.com/MontaVista-OpenSourceTechnology/linux-nonlts-secfix.git 
linux-2.6.32-secfix

I'll try to keep it up to date with fixes andn with Spectre fixes.

A 3.10 branch will hopefully be coming, too.

-corey

Re: Backport of KPTI to 2.6.32 available

[Willy Tarreau]

Hi Corey,

On Thu, Jan 11, 2018 at 11:42:38AM -0600, Corey Minyard wrote:
> I've completed a backport of KPTI from linux-stable-3.2.y to 2.6.32.71, in
> case anyone is interested and wants to avoid all the work I went through.
> It's available at:
> 
> https://github.com/MontaVista-OpenSourceTechnology/linux-nonlts-secfix.git
> linux-2.6.32-secfix

Well, good job on this, thanks for sharing! However, this is just a friendly
reminder to everyone still running 2.6.32 that during my 3.10 maintenance
period after I dropped 2.6.32, I saw a significant number of bugs affecting
older versions, 2.6.32 included. So if people are using your branch above to
pick your patches and apply them to their locally maintained kernel, that's
possibly fine. However please guys don't run just the kernel above as-is as
it's definitely missing a few hundreds of fixes (~1300 were fixed in 3.10
since 2.6.32.71 was released, some addressing local privilege escalations).

Cheers,
Willy

Re: Backport of KPTI to 2.6.32 available

[Greg KH]

On Thu, Jan 11, 2018 at 11:42:38AM -0600, Corey Minyard wrote:
> I've completed a backport of KPTI from linux-stable-3.2.y to 2.6.32.71, in
> case anyone is interested and wants to avoid all the work I went through.
> It's available at:
> 
> https://github.com/MontaVista-OpenSourceTechnology/linux-nonlts-secfix.git
> linux-2.6.32-secfix
> 
> I'll try to keep it up to date with fixes andn with Spectre fixes.

That's crazy, why update it now, when it's missing hundreds, if not
thousands, of other much more severe security fixes?  What makes this
one more "urgent" than all of the others?

Anyway, anyone running this branch is getting a very false sense of "I'm
running a fixed kernel!"  I strongly recommend it not be used for
anything...

> A 3.10 branch will hopefully be coming, too.

Again, why?  There's backports for this in the android-common tree if
you really want it.  But again, you really do not.

thanks,

greg k-h

Re: Backport of KPTI to 2.6.32 available

[Corey Minyard]

On 01/11/2018 02:32 PM, Greg KH wrote:
> On Thu, Jan 11, 2018 at 11:42:38AM -0600, Corey Minyard wrote:
>> I've completed a backport of KPTI from linux-stable-3.2.y to 2.6.32.71, in
>> case anyone is interested and wants to avoid all the work I went through.
>> It's available at:
>>
>> https://github.com/MontaVista-OpenSourceTechnology/linux-nonlts-secfix.git
>> linux-2.6.32-secfix
>>
>> I'll try to keep it up to date with fixes andn with Spectre fixes.
> That's crazy, why update it now, when it's missing hundreds, if not
> thousands, of other much more severe security fixes?  What makes this
> one more "urgent" than all of the others?
>
> Anyway, anyone running this branch is getting a very false sense of "I'm
> running a fixed kernel!"  I strongly recommend it not be used for
> anything...

Yes, this is not useful as it is, you must be maintaining the kernel 
separately.  I put
this out as a help to anyone else who might need this.  I certainly 
don't expect
it to be used as-is.

>> A 3.10 branch will hopefully be coming, too.
> Again, why?  There's backports for this in the android-common tree if
> you really want it.  But again, you really do not.

Oh yeah, I guess the android kernel would be the way to go here. Never mind.

-corey