Re: Release status of i386 for Bullseye and long term support for 3 years?

To: debian-devel@lists.debian.org, debian-release@lists.debian.org, debian-cd@lists.debian.org
Subject: Re: Release status of i386 for Bullseye and long term support for 3 years?
From: Russ Allbery <rra@debian.org>
Date: Mon, 14 Dec 2020 10:02:55 -0800
Message-id: <[🔎] 878sa0p8og.fsf@hope.eyrie.org>
In-reply-to: <[🔎] f513615677e94daa7bb261dffa6d7d3320267eb5.camel@decadent.org.uk> (Ben Hutchings's message of "Mon, 14 Dec 2020 13:22:11 +0100")
References: <20201207195511.GA13638@einval.com> <X8+78vDeVtLJP479@espresso.pseudorandom.co.uk> <[🔎] 20201212160902.GL21433@localhost> <[🔎] 20201213095317.GA94069@homer.dodds.net> <[🔎] f513615677e94daa7bb261dffa6d7d3320267eb5.camel@decadent.org.uk>

Ben Hutchings <ben@decadent.org.uk> writes:

> I agree that kernel security support for i386 is seriously lacking.

> The Spectre mitigations were actually available for both x86
> architectures at the same time, but the initial Meltdown mitigation was
> amd64-specific and was not extended to i386 until Linux 4.19.  The
> implementation used in stable kernel branches (KAISER) was sufficiently
> different from that used upstream, that i386 support has not been added
> to it.

> As a result, stretch:i386 is still vulnerable when running the default
> (4.9-based) kernel.

It may be worth separating the kernel from the rest of the distribution.
Switching an existing i386 deploy to use the amd64 kernel is fairly easy.
I did that on my legacy i386 installations quite some time ago, and thus
am running a kernel with proper upstream security support.  It's far
easier and less intimidating than crossgrading the rest of the system to
amd64.

One possible intermediate option shy of dropping the i386 architecture
would be to drop the i386 kernel and instead help all i386 installs switch
to the amd64 kernel while still running i386 binaries.  (That said, this
will obviously not work on actual i386 hardware, and I don't know if it
has other issues that I personally happened not to notice.)

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: Release status of i386 for Bullseye and long term support for 3 years?
  - From: Calum McConnell <calumlikesapplepie@gmail.com>

References:
- Re: Release status of i386 for Bullseye and long term support for 3 years?
  - From: Adrian Bunk <bunk@debian.org>
- Re: Release status of i386 for Bullseye and long term support for 3 years?
  - From: Steve Langasek <vorlon@debian.org>
- Re: Release status of i386 for Bullseye and long term support for 3 years?
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: Re: Release status of i386 for Bullseye and long term support for 3 years?
Next by Date: Re: Release status of i386 for Bullseye and long term support for 3 years?
Previous by thread: Re: Release status of i386 for Bullseye and long term support for 3 years?
Next by thread: Re: Release status of i386 for Bullseye and long term support for 3 years?
Index(es):
- Date
- Thread