Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 6 Mar 2018 16:41:25 +0000
From:      Ed Maste <emaste@freebsd.org>
To:        freebsd-security@freebsd.org, freebsd-stable@freebsd.org
Subject:   Call for Testing: 11.1-RELEASE Meltdown/Spectre mitigation merge
Message-ID:  <20180306164125.GA61857@freebsd.org>

next in thread | raw e-mail | index | archive | help
Background
----------

A number of issues relating to speculative execution were found last
year and publicly announced January 3rd. A variety of techniques used to
mitigate these issues have been committed to FreeBSD-CURRENT and have
been merged to the stable/11 branch.

The changes will be merged and released as an update to FreeBSD
11.1-RELEASE in the near future, but the candidate patch is now
available for broader testing.

The patch addresses these issues:

CVE-2017-5754 (Meltdown)
------------------------

This issue relies on a speculative execution of instructions that
attempt to read kernel memory, but fault. Although the architectural
state is as expected (the faulting instruction is not retired), cache or
other microarchitectureal state is changed and may be used to observe
privileged data.

The mitigation is known as Page Table Isolation (PTI). PTI largely
separates kernel and user mode page tables, so that even during
speculative execution most of the kernel's data is unmapped and not
accessible.

A demonstration of the Meltdown vulnerability is available at
https://github.com/dag-erling/meltdown. A positive result is definitive
(that is, the vulnerability exists with certainty). A negative result
indicates either that the CPU is not affected, or that the test is not
capable of demonstrating the issue on the CPU (and may need to be
modified).

CVE-2017-5715 (Spectre V2)
--------------------------

Spectre V2 uses branch target injection to speculatively execute kernel
code at an address under an attacker's control.

There are two common mitigations for Spectre V2. This patch includes a
mitigation using Indirect Branch Restricted Speculation, a feature
available via a microcode update from processor manufacturers. The
alternate mitigation, Retpoline, is a feature available in newer
compilers and is available in FreeBSD-CURRENT now. It will be made
available in stable branches in the future.

Patch
-----

The patch against 11.1-RELEASE is available at
https://people.freebsd.org/~emaste/patches/amd64_11.1_meltdown.3.patch

A patched kernel will automatically enable PTI on Intel CPUs, and the
status can be checked via the vm.pmap.pti sysctl:

# sysctl vm.pmap.pti
vm.pmap.pti: 1

The default setting can be overridden by setting loader tunable
vm.pmap.pti to 1 or 0 in /boot/loader.conf. This setting takes effect
only at boot.

The patch includes the IBRS mitigation for Spectre V2. To use the
mitigation the system must have an updated microcode; with older
microcode a patched kernel will function without the mitigation.

IBRS can be disabled via the hw.ibrs_disable sysctl (and tunable), and
the status can be checked via the hw.ibrs_active sysctl. IBRS may be
enabled or disabled at runtime. Additional detail on microcode updates
will follow.

Limitations
-----------

This patch applies only to 11.1-RELEASE. It does not include mitigations
for architectures other than amd64 (x86_64). Work on other branches,
architectures and vulnerabilities is ongoing, and will be available at a
later date.

Testing
-------

We are soliciting functionality and performance results from testing
this 11.1-RELEASE patch under a variety of workloads. If you have the
ability to test, please apply the patch and run the system with your
usual workload and follow up with details, either here or directly to
me.

Benchmark data from our testing will soon be shared more widely. In
brief, the PTI mitigation shows on the order of a 30% impact on system
call microbenchmarks, to 1% to 2% for realistic workloads.

This work is supported by the FreeBSD Foundation.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180306164125.GA61857>