Meltdown and Spectre Patches for nixOS

[harshanarayana]

Issue description

We have a set of EC2 Instance running on AWS that are used for admin purpose that use nixOS as their base. As per the AWS Security Bulletin, we are trying to patch the vulnarabilities in our system.

This is a sort of Followup question based on #33414 #33684 and #33563

Can someone please confirm that the AWS EC2 AMI for us-west-2 (ami-2bd87953) already includes the security patches for the items mentioned in the bulletin ? CVE-2017-5715, CVE-2017-5753, CVE-2017-5754

Steps to reproduce

Technical details

EC2 AMI Image Used - ami-6449f504 (Build NixOS x86_64-linux 16.09.1508.3909827 )

[adisbladis]

ami-2bd87953 is not patched. The 17.09 channel is though so if you upgrade you will get the meltdown and spectre fixes.

@edolstra needs to generate new AMIs (which I think he said somewhere he was going to do soon).

[adisbladis]

@edolstra just made new AMIs for 17.09 https://github.com/NixOS/nixpkgs/commit/6bbd67d45aaebbca0140384ea871c03c42d18277

[edolstra]

The AMIs now contain the kpti patch (6bbd67d45aaebbca0140384ea871c03c42d18277). This can be verified by running dmesg | grep isolation.

AFAIK the microcode updates don't apply to VMs since only the host can apply microcode updates.