As for the "Spectre" security vulnerability, "Retpoline" was introduced to be a solution to mitigate the risk. However, I've read a post that mentioned:
If you build the kernel without
CONFIG_RETPOLINE
, you can't build modules with retpoline and then expect them to load — because the thunk symbols aren't exported.If you build the kernel with the retpoline though, you can successfully load modules which aren't built with retpoline. (Source)
Is there an easy and common/generic/unified way to check if kernel is "Retpoline" enabled or not? I want to do this so that my installer can use the proper build of kernel module to be installed.
Best Answer
If you’re using mainline kernels, or most major distributions’ kernels, the best way to check for full retpoline support (i.e. the kernel was configured with
CONFIG_RETPOLINE
, and was built with a retpoline-capable compiler) is to look for “Full generic retpoline” in/sys/devices/system/cpu/vulnerabilities/spectre_v2
. On my system:If you want more comprehensive tests, to detect retpolines on kernels without the
spectre_v2
systree file, check out howspectre-meltdown-checker
goes about things.