Project Talk:Security/Vulnerabilities/Meltdown and Spectre

`dracut` seems to be a rather simple solution for initramfs-based microcode loading. Looks like `early_microcode = yes` in `/etc/dracut.conf.d/gentoo.conf` is enough.

NVIDIA is also affected: http://nvidia.custhelp.com/app/answers/detail/a_id/4611

Consider changing the following command:

cpuid -1 | grep serial | tail -n1 | awk '{print $4}' | cut -d\- -f1,2 | sed 's/-//g'

with:

cpuid -1 |awk '/processor serial number:/{split($4,c,"-");print c[1]c[2]}' --

2.1.3 sys-firmware/intel-microcode
there's an update from intel (https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File?product=52214). There are more processors listet as in this wikipage. Is this list obsolete and should be updated?

CVE-2017-5715
Apparently CVE-2017-5715 is NOT fixed in the listed kernels (at least not 4.14.13). The page should clarify this. Ideally the kernel config option for mitigating Meltdown should be documented as well. --Luke-jr (talk) 01:50, 11 January 2018 (UTC)

Chromium/Chrome
AFAIK, chrome://flags/#enable-site-per-process should be turned on in Chromium/Chrome to mitigate some form of Spectre. I suggest documenting this (and any other mitigations needed). --Luke-jr (talk) 01:50, 11 January 2018 (UTC)

Tuning security options
It seems RHEL docs suggest different kernel boot options for Spectre mitigations: https://access.redhat.com/articles/3311301 --Pacho (talk) 09:04, 15 January 2018 (UTC)