Description of problem: When I run the default kernel tests, the output includes Vulnerability status: /sys/devices/system/cpu/vulnerabilities/l1tf:Vulnerable I've been using the i686 builds on F28 because my computer has a 32-bit Pentium 4 CPU. I've read that the L1TF kernel mitigations work for 32-bit PAE kernels, but not with 32-bit non PAE. For example, Andi Kleen wrote the following in a L1TF mitigation commit for 32-bit PAE kernels: "The OS side mitigation makes sure that a !PRESENT PTE entry points to a physical address outside the actually existing and cachable memory space. This is achieved by inverting the upper bits of the PTE. Due to the address space limitations this only works for 64bit and 32bit PAE kernels, but not for 32bit non PAE." https://lore.kernel.org/patchwork/patch/974257/ Could i686 kernels with PAE enabled be built again to mitigate the L1TF vulnerabilities if it's not too much trouble? Thank you. Version-Release number of selected component (if applicable): kernel-4.18.5-200.fc28.i686 How reproducible: Always Steps to Reproduce: 1. change directory to kernel tests directory 2. sudo ./runtests.sh 3. Actual results: /sys/devices/system/cpu/vulnerabilities/l1tf:Vulnerable Expected results: /sys/devices/system/cpu/vulnerabilities/l1tf:Mitigation: PTE Inversion Additional info:
We intentionally dropped PAE support because there just wasn't demand for it. I don't think there is any interest in bringing it back. You are welcome to discuss this with the x86 SIG (https://fedoraproject.org/wiki/Architectures/x86)
I didn't know why the kernel-PAE packages were removed in F28 until I read your message. I used the kernel-PAE packages from F24 to F27. When I upgraded to F28 in early May, I was surprised to find that no F28 kernel packages had been installed. I ran sudo dnf install kernel* from VT2 after that happened which resolved the problem. If F28 kernel packages obsoleted the kernel-PAE packages, the problems above might've been avoided. In the current F28 kernel.spec I see Obsoletes: kernel-PAE-debug but not Obsoletes: kernel-PAE https://src.fedoraproject.org/rpms/kernel/blob/f28/f/kernel.spec I'm not sure if or how that would be need to be specified for i686 alone. The issue above was reported by at least four others. https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/thread/N6YZEA7JBYMIDZL4OB7XTYI74WIUXZDZ/ https://ask.fedoraproject.org/en/question/124527/system-upgrade-27-28-dosent-install-kernel-in-grub/ https://ask.fedoraproject.org/en/question/122127/kernal-update-problem/ https://starlightcascade.ca/blog/2018/05/more-linux-fedora-28-upgrades/ I read the F29 i686 packages are being compiled with SSE2 support https://fedoraproject.org/wiki/Changes/Update_i686_architectural_baseline_to_include_SSE2 I don't know what proportion of CPUs with SSE2 support also have PAE support, but since PAE was introduced in 1995 and SSE2 in 2000, I'm guessing that proportion would be high. Since the L1TF vulnerabilities were made public after the removal of i686 PAE builds from F28, the x86 SIG may wish to reexamine the issue. Would posting issues like this on the x86 mailing list be an appropriate way to discuss this? I've been trying learn more about kernel, network, security, and other related topics in the last two years, and Fedora has helped me a lot in this way. Thanks to you and the other Fedora maintainers and developers.