This is a variant for Fedora's kernel, replacing repoline patches with upstream's IBRS.
I built this for myself, as I'm not a big fan of retpoline as a mitigation, but perhaps others may find this useful too. Future kernels from 4.15.x series will provide both mitigations, allowing the user to choose between them.
Combined with the latest microcode_ctl package (microcode_ctl-2.1-20.fc27.x86_64), this will get you some (upstream's IBRS patch is still WIP) protection against Spectre variant #2, and a /sys/kernel/debug/x86/ibrs_enabled knob with the same semantics as described in this article:
- Controlling the Performance Impact of Microcode and Security Patches for CVE-2017-5754 CVE-2017-5715 and CVE-2017-5753 using Red Hat Enterprise Linux Tunables.
$ sudo dnf copr enable slp/kernel-ibrs
$ sudo dnf install kernel-4.14.13-300.ibrs.fc27
$ sudo dracut --force /boot/initramfs-4.14.13-300.ibrs.fc27.x86_64.img 4.14.13-300.ibrs.fc27.x86_64
The following unofficial repositories are provided as-is by owner of this project. Contact the owner directly for bugs or issues (IE: not bugzilla).
|Fedora 27||x86_64 (0)*||Fedora 27 (20 downloads)|
* Total number of packages downloaded in the last seven days.