Upgrade kernel compiler to GCC 7. #34385
Conversation
pkgs/top-level/all-packages.nix
Outdated
| @@ -13158,7 +13160,9 @@ with pkgs; | |||
|
|
|||
| # A function to build a manually-configured kernel | |||
| linuxManualConfig = pkgs.buildLinux; | |||
| buildLinux = makeOverridable (callPackage ../os-specific/linux/kernel/manual-config.nix {}); | |||
| buildLinux = makeOverridable (callPackage ../os-specific/linux/kernel/manual-config.nix { | |||
| buildPackages = buildPackages // { stdenv = overrideCC buildPackages.stdenv gcc7; }; | |||
There was a problem hiding this comment.
Please add a comment here, why gcc7 is required.
This makes it easier to remove this line later, when gcc7 becomes default or is superseded by newer versions.
|
I'm still hoping we can make gcc7 the default really soon so we don't have to add this hack. But if we can't make it for 18.03, this will come in handy. The other question is if we should backport this to 17.09. Then pushing this hack and gcc 7.3.0 to 17.09 is probably the easiest thing to do. |
clefru
force-pushed
the
gcc7-kernel
branch
2 times, most recently
from
957fdd0
to
f5a3c19
Compare
pkgs/top-level/all-packages.nix
Outdated
| @@ -12970,10 +12970,12 @@ with pkgs; | |||
| for a specific kernel. This function can then be called for | |||
| whatever kernel you're using. */ | |||
|
|
|||
| linuxPackagesFor = kernel: lib.makeExtensible (self: with self; { | |||
| linuxPackagesFor = kernel: let stdenvKernelCc = overrideCC stdenv kernel.buildCc; | |||
There was a problem hiding this comment.
I haven't found a better way to express that other than with introducing a "let" here.
There was a problem hiding this comment.
What about just stdenv = overrideCC pkgs.stdenv kernel.buildCc;?
|
@fpletz if so, this should start soon. I expect breakage again with |
|
I ran the kernel-lts, kernel-latest and installer.simple tests. All succeed with a gcc7-compiled retpoline kernel. So, functionality-wise this PR can go in. If somebody has style comments, please add them. Should we switch to gcc7 in general, only the last commit needs to be rolled-back. Using the kernel compiler for kernel module compilation should stay, as this is a sane thing to do. |
| @@ -12974,6 +12974,7 @@ with pkgs; | |||
| callPackage = newScope self; | |||
|
|
|||
| inherit kernel; | |||
| stdenv = overrideCC pkgs.stdenv kernel.buildCc; | |||
There was a problem hiding this comment.
@aszlig: I switched to the form you suggested. I also squashed commit 1+2 together as commit 2 became trivial.
|
@Mic92 There's already a branch and a hydra jobset. The efforts are going on for a while now and it looks pretty good: https://hydra.nixos.org/jobset/nixos/gcc-7 |
|
This is security problem. Can we get this merged soon? Then backport to 17.09. Then we can merge the gcc-7 branch into master, and rollback the last commit in master, leaving 17.09 with the backport. |
|
Yes, I agree, do this now and revert later. The gcc7 branch will probably need some additional work (I see ~1.5k build regressions on Linux platforms ATM), and this PR is relatively cheap rebuild-wise. Last call! |
|
BTW, this will need nontrivial backporting work for 17.09, and we won't have gcc7 by default there. |
|
At the risk of being annoying, this 1.severity: security PR is still open. It puts the kernel in the default state under gcc 7.3, which is retpoline enabled, which is what the kernel devs thought would be a good default despite the performance regressions. |
|
IMHO we should not backport this to 17.09. Switching compilers is far outside of the scope of a "stable" branch. |
|
@edolstra: the intention was to backport compiler change only for kernel and its modules, not for all packages (I assume that's what you understood). |
Motivation for this change
Kernel spectre v2 hardening, see
#34383
Things done
modinfo zfsshowsvermagic: 4.14.15 SMP mod_unload retpoline.grep . /sys/devices/system/cpu/vulnerabilities/*:This is only PR is only for discussion. I found the use of stdenvKernelCc a bit ugly, but couldn't find a more idiomatic expression.
build-use-sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)