Re: Release status of i386 for Bullseye and long term support for 3 years?
On Mon, Dec 14, 2020 at 01:22:11PM +0100, Ben Hutchings wrote:
> On Sun, 2020-12-13 at 01:53 -0800, Steve Langasek wrote:
> > While the ongoing
> > costs of maintaining a full port were a consideration, of equal concern was
> > the fact that we believed we would not be able to provide security support
> > for the architecture as a whole at par with other architectures, due to,
> > among other things, lack of adequate support from the upstream
> > kernel/toolchain community. I'm not sure if i386 has caught up and now has
> > adequate mitigation for Spectre etc, but it definitely wasn't available on
> > an equivalent timeline as amd64.
> I agree that kernel security support for i386 is seriously lacking.
> The Spectre mitigations were actually available for both x86
> architectures at the same time, but the initial Meltdown mitigation was
> amd64-specific and was not extended to i386 until Linux 4.19. The
> implementation used in stable kernel branches (KAISER) was sufficiently
> different from that used upstream, that i386 support has not been added
> to it.
If using Spectre/Meltdown as metric, how does kernel security support
for architectures like arm64 or ppc64el compare to kernel security
support for i386?
When it comes to security support, i386 often has the benefit that code
is shared with amd64 so fixes are available early (like for Spectre).
I am not saying that there was no problem on i386, but if this was meant
to register a security concern for release architectures we have to look
at all architectures.
> As a result, stretch:i386 is still vulnerable when running the default
> (4.9-based) kernel.
A bigger worry for i386 would be the availability of microcode updates
for Spectre, but this has little practical impact as long as noone cares
enough about Spectre to start a GR that would allow us to not leave our
amd64 users vulnerable by default even in bullseye.