Closed phizev closed 5 months ago
mikeNG
commented
6 years ago If there is a release, I would prefer to patch all the kernel CVEs as well. But since that will be a huge effort, I am not sure if it will be done. I don't have time lately for semc
phizev
commented
6 years ago Thank you for the response, and I completely understand, merely from the point of view having watched the download counts having decreased over the last couple years. (Prior to the temporary loss of buildbasket.)
It's been a great run, and thanks again!
phizev
commented
6 years ago I've been trying to keep an eye out for any communication from Qualcomm as to whether their Scorpion CPU's are vulnerable to Meltdown/Spectre. The best I have found to date is this. Which doesn't really provide an answer. From a slide presentation from 2007, I would suspect that Scorpion CPU's are vulnerable to Spectre, due to branch prediction, though not meltdown as they do not do speculative execution.
I'm updating the issue title, and adding this comment as there is no need for a separate issue. I'd highly recommend that anyone whom still wishes to use these devices tread very carefully. I'm far from any expert in this field, but at this time, it would seem that these devices are left in a very insecure state now.
Lastly, again, my sincere thanks to the project maintainers for their, dare I say, magnificent work.
phizev
commented
6 years ago I've updated the build instructions in the wiki from CyanogenMod 11 to LineageOS 11, building according to the updated instructions brings me to a patch level of 1 March 2018. I am going to try building for LineageOS 13 next. If successful, I'll submit a patch for the changes necessary. As a note to anyone else whom may come across this, I downloaded about 50 GB, and once building was completed, just under another 50 GB of disk space was used.
phizev
commented
5 months ago To close off this issue, 6 years later. I did not get LineageOS 13 to the point of being a daily driver build.
Additionally, the extra processing overhead of fixing the CPU exploits would likely render the device unusable even at the time.
Firstly, thank you for the work put into this project, I still have 2 Urushi's living useful lives as a result.
In light of KRACK Attacks, and given the length of time since the last release, would it be plausible to have a release which fixes only security issues once Google has finally released fixes for KRACK?
I know Google has yet to release updates fixing KRACK, which are only going to start coming out after November 6th, or such, but it would be really nice to have that sorted out thereafter.
Edit: Addition of Spectre/Meltdown speculation/information, see this comment.