KPTI backport conflicts

[sempervictus]

Spent a bit of time looking at the KPTI thing and trying to figure how the pieces impacted by the changes in this tree actually work, and what the kpti patches are doing there. It looks like there's a bunch of delta around the way tss_struct is handled, and lower down to things i dont yet understand, seemingly related to how data is laid out on the stack. It appears that some of the memory access is actually occuring from kernel context whereas the 4.9 upstream code being patched seems to expect its in the user context (in truct tss_struct doublefault_tss for instance)

@minipli: if this is actually "portable" into the fork, is there any chance you might be able to detail the changes from upstream in the commit log so we could better understand the clockwork? Thanks as always.

[matthewruffell]

Okay, I spent all weekend getting dapper-secure-kernel-patchset-stable from 4.9.80 to 4.9.92. It was quite a lot of effort, as it seems minor patches are growing in size rapidly these days.

You can get my latest release from here

There's a few compile errors in the 4.9.8x series since I forward ported without compiling to save the 2 or so hours needed to compile the kernel, and I have resolved these in 4.9.91 as I went and compiled 4.9.90 and 4.9.91. I haven't tested 4.9.92, but the patch was small, so I think it will be okay.

My current plan is to catch up to the latest release (4.9.103+) and then complete the gcc8 port, since some of the 4.9.10x patches include gcc8 support. From there on I'll have a look at retpoline, but it is hard enough simply staying up to date. We will see what happens.

If anyone wants to help out, you can help by compiling my code and testing, fixing those pesky kconfig warnings I introduced today, or having a go at getting retpoline working.

[theLOICofFRANCE]

@msr50

If anyone wants to help out, you can help by compiling my code and testing, fixing those pesky kconfig warnings I introduced today, or having a go at getting retpoline working.

It was already done, but you advance on without taking my patch. See issues 2

since some of the 4.9.10x patches include gcc8 support.

Add include required by GCC release 8

[matthewruffell]

Okay, I have had a busy weekend going from 4.9.92 -> 4.9.105, and it is available to download from my releases page. It is tested and compiles fine on GCC7.

GCC8 support is 95% done now. There is a small very strange bug left where the size_overflow plugin generates some weird GCC gimple code for a GIMPLE_ASSIGN statement that for some strange reason has 4 operands in a statement somewhere in mm/vmscan.c, and I'll keep looking into it. If you are impatient you can disable CONFIG_SIZE_OVERFLOW in your config to compile a kernel with GCC8. I'll make an issue for it in the next few days with some more debug info incase anyone is interested in figuring out how to fix it.

Boy oh boy was 4.9.104 one crazy little release. I haven't seen a release as large as that before. 14,000 lines of code in a small point release that I had to go through to make sure there wasn't any references to meltdown or spectre. It probably won't be the last large release either.

Up next is keeping up to date with point releases and back to working on retpoline. Will update as I go.

[miroR]

@msr50

Okay, I have had a busy weekend going from 4.9.92 -> 4.9.105, and it is available to download from my > releases page. It is tested and compiles fine on GCC7.

I'm testing 4.9.105 (which did compile fine on:

$ gcc --version
gcc (Debian 7.2.0-19) 7.2.0

I hope you and @minipli will find a way to join forces... I've had fewer crashes with 4.9.92-dappersec180601-06 then I have had with minipli's grsecunoff...

And I've been testing (and still am)the kernel that I uploaded at https://www.croatiafidelis.hr/gnu/deb/linux-4.9.92-dappersec180601-06/ i.e. for any hardware (much wider attack surface than when I compile for my own hardware only).

Will report how 4.9.105 is faring, and then hopefully offer that one for download too.