[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Release status of i386 for Bullseye and long term support for 3 years?

Ben Hutchings <ben@decadent.org.uk> writes:

> I agree that kernel security support for i386 is seriously lacking.

> The Spectre mitigations were actually available for both x86
> architectures at the same time, but the initial Meltdown mitigation was
> amd64-specific and was not extended to i386 until Linux 4.19.  The
> implementation used in stable kernel branches (KAISER) was sufficiently
> different from that used upstream, that i386 support has not been added
> to it.

> As a result, stretch:i386 is still vulnerable when running the default
> (4.9-based) kernel.

It may be worth separating the kernel from the rest of the distribution.
Switching an existing i386 deploy to use the amd64 kernel is fairly easy.
I did that on my legacy i386 installations quite some time ago, and thus
am running a kernel with proper upstream security support.  It's far
easier and less intimidating than crossgrading the rest of the system to

One possible intermediate option shy of dropping the i386 architecture
would be to drop the i386 kernel and instead help all i386 installs switch
to the amd64 kernel while still running i386 binaries.  (That said, this
will obviously not work on actual i386 hardware, and I don't know if it
has other issues that I personally happened not to notice.)

Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Reply to: