The 4.4.14 has a number of important fixes/additions:
- New support for retpolines (enabled but requires newer gcc
to take advantage of). This provides mitigation for Spectre
style attacks.
- Various KPTI fixes including fixes for EFI booting
- More eBPF fixes around out-of-bounds and overflow of
maps. These were used for variant 1 of CVE-2017-5753.
- Several KVM related to CVE-2017-5753, CVE-2017-5715,
CVE-2017-17741.
- New sysfs interface listing vulnerabilities:
/sys/devices/system/cpu/vulnerabilities
The 4.9.77 kernel also has seems to have most/all of the above
back-ported.
See https://lwn.net/SubscriberLink/744287/1fc3c18173f732e7/
for more details on the Spectre mitigation.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This package is primarily for users of custom or foreign
kernels which may have drivers enabled for which the
'firmware' package does not contain the firmware blobs.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This new 'firmware' package contains the firmware blobs required
by the device drivers in a LinuxKit kernel. The list of required
blobs is determined by calling 'modinfo' on each module.
We also unconditionally include the AMD CPU microcode and the
licence files.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
go_vet (via https://goreportcard.com/report/github.com/linuxkit/linuxkit)
reported:
error: missing argument for Printf("%v"): format reads arg 2, have only 1 args (vet)
error: wrong number of args for format in Printf call: 2 needed but 3 args (vet)
Signed-off-by: Ian Campbell <ijc@docker.com>
DOwnload and verify the Intel microcode package and convert it
to a cpio archive which can be prepended to the initrd.
It also adds the license file to the kernel package.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The iucode_tool is used to convert the Intel CPU microcode
binaries into a cpio archive. There is no alpine package
for it, so compile it from source.
This is for x86_64 only and on other archs we create a empty
file.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This is similar to ae64ab6b82 from #2849 which
did the same for runtime.mkdir.
This makes it possible to specify both host (absolute) or container (relative)
paths.
Signed-off-by: Ian Campbell <ijc@docker.com>
Pulls in:
f816553 Merge pull request #195 from ijc/prepend-rootfs-mounts
0a6d69d Prepend the rootfs mounts to the user specified runtime.mounts.
Signed-off-by: Ian Campbell <ijc@docker.com>
Will return the list of all hosts that are part of a vCenter DataCenter
and choose one at random to use.
Signed-off-by: Dan Finneran <daniel.finneran@gmail.com>
This simply starts a web server serving the specified directory.
It's useful for PXE booting.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This currently just copies the kernel/initrd to a destination
and writes the iPXE script there as well. The scheme is flexible
enough to support scp or other means for pushing in the future.
The kernel/initrd are conditionally decompressed (default for arm64).
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
