On Sun, 2020-12-13 at 01:53 -0800, Steve Langasek wrote: [...] > While the ongoing > costs of maintaining a full port were a consideration, of equal concern was > the fact that we believed we would not be able to provide security support > for the architecture as a whole at par with other architectures, due to, > among other things, lack of adequate support from the upstream > kernel/toolchain community. I'm not sure if i386 has caught up and now has > adequate mitigation for Spectre etc, but it definitely wasn't available on > an equivalent timeline as amd64. I agree that kernel security support for i386 is seriously lacking. The Spectre mitigations were actually available for both x86 architectures at the same time, but the initial Meltdown mitigation was amd64-specific and was not extended to i386 until Linux 4.19. The implementation used in stable kernel branches (KAISER) was sufficiently different from that used upstream, that i386 support has not been added to it. As a result, stretch:i386 is still vulnerable when running the default (4.9-based) kernel. Ben. -- Ben Hutchings Once a job is fouled up, anything done to improve it makes it worse.
Description: This is a digitally signed message part