From owner-freebsd-security@freebsd.org Sun Mar 18 17:59:22 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 88780F67C6D for ; Sun, 18 Mar 2018 17:59:22 +0000 (UTC) (envelope-from jan-mailinglists@demter.de) Received: from mout.kundenserver.de (mout.kundenserver.de [217.72.192.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "mout.kundenserver.de", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E37607E7B6 for ; Sun, 18 Mar 2018 17:59:21 +0000 (UTC) (envelope-from jan-mailinglists@demter.de) Received: from wombat.fritz.box ([62.216.207.248]) by mrelayeu.kundenserver.de (mreue101 [212.227.15.183]) with ESMTPSA (Nemesis) id 0Lx70L-1eZcM53Aan-016jA1; Sun, 18 Mar 2018 18:54:08 +0100 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-18:03.speculative_execution To: Andrea Venturoli , freebsd-security@freebsd.org References: <20180314042924.E880D1128@freefall.freebsd.org> <337d9fd4-2aa4-609a-6a00-e9ce2be599cc@netfence.it> From: Jan Demter Message-ID: <8deba9d2-17b5-9088-1766-42f9e334df89@demter.de> Date: Sun, 18 Mar 2018 18:54:08 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <337d9fd4-2aa4-609a-6a00-e9ce2be599cc@netfence.it> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Provags-ID: V03:K0:gI3AAESZJadswLLtY/+dAPioxwpWL0i0Ak5YEl3squd86dy2kjB ItheC7Z7N8LcGc7e8ROQaUlhsjaBuGSOEyVHmozuQmeAyFjSYTGIpKt4jGPCU935vdq/R4Y tF1TOtaIPsQ6rnYRrVimCmfVKpkd/K5X+rIm3QhBPST1i8w1xilBRJJUzI44JtnFEOt7mf/ 2aq5w6I2+NJVw1vpkC3wA== X-UI-Out-Filterresults: notjunk:1;V01:K0:aE/+wCqgSeo=:2WEnuoSK5LQIUlBQTiuY4Q N7v8SL46ehOv7UGMpbVWLuhnqqg2MqXlGZNNQRQZAM1LiZojF0mv6LmpMVghJWA3soV6eX/m2 siEiztgkUiXfKe858rvSoRRHHBvx1DYF70vcqiK81kfT35k2fB7hBUyDJDXP+nGVdh51c/hZ/ l8fkEs2CCwCd4QH1/3qe77yvKr3zcj4t/3DEWJSQ0b3NMzra2SkIH+glOG6xunHrRlm4jyTzl 0Sk868kvF6v0ZiYb6eDmdgmsRXNE/Z4OhSneeb1Wy2s1eKeUEofnqM+W3qLACkbTZ2foYett/ WRbVpzC+H2oxceJ+n/LWyfkb4kLl9E9LLn/M80h5yYBDHlhqL8Y2nafapG+MP/tEtveUb9Tzq myqbR77vO0bM8Q+f9oPHb2WwV8Qswsyr8VeEHY7wCjawNr6opysYMjAJKqgZe5PvGOyxiJPFU G4q7UxDPgUIc0H6g+Bo4EIpUuzGrSwCUcwVetCq8e9nIUOs7HtE6LgwIPLNx153DZmXGaLdtu UqWdrPFzJaP+xd0KJJFyZ+EwOtEQRVIfIqqblX+efYwi5XPNC8GTsGviKrxCuRrQ3P6XJibsJ 70DhWwN1t7chlCg2cgDG1un5CjSfc+A0mhEtSCcWW722fNFj9SoPWOve/qP7+VRAQtJHBIjGc sAnzc08GW8XJUVv5Q90jna+51yekC4CNv+vvoFE6YTJAPkKqwmG77GQwE79OtZXG+xaPk2Ix8 IUag8BWawiBgATSyIC+NVGjNFUO/6+n1ERcW5cw0i6xC/xzVS/G7zeFo0YI= X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Mar 2018 17:59:22 -0000 Hi Andrea! Am 16.03.18 um 17:11 schrieb Andrea Venturoli via freebsd-security: > On 03/14/18 05:29, FreeBSD Security Advisories wrote: >> # sysctl vm.pmap.pti >> vm.pmap.pti: 1 > > Of course I find this enabled on the Intel box and not on the AMD one, > but... is PTI in any way affected by a microcode update from Intel? From what I have read so far, I'm pretty certain it isn't planned or even possible to patch this via a microcode update. >> IBRS can be disabled via the hw.ibrs_disable sysctl (and tunable), and >> the >> status can be checked via the hw.ibrs_active sysctl.  IBRS may be >> enabled or >> disabled at runtime.  Additional detail on microcode updates will follow. > > None of the two box seems to have this enabled; on both I see: >> # sysctl -a|grep ibrs >> hw.ibrs_disable: 1 >> hw.ibrs_active: 0 > > Does this mean both machine don't have a good enough microcode or is > just IBRS not enabled by default? IBRS does not seem to be enabled by default: https://reviews.freebsd.org/rS328625 "For existing processors, you need a microcode update which adds IBRS CPU features, and to manually enable it by setting the tunable/sysctl hw.ibrs_disable to 0." > In the first case, I tried finding some information on what microcode is > available for what CPU (I'm interested in several other ones, not only > these two), but failed. Has anyone a pointer? For Intel CPUs, there's this list: https://newsroom.intel.com/wp-content/uploads/sites/11/2018/03/microcode-update-guidance.pdf > Last question: am I right that devcpu-data is nowaday useless (read no > microcode update anyway) unless this update to base is also installed? The microcode update itself will work, if that is what you meant, but just updating the microcode and not FreeBSD is useless to mitigate Spectre V2. Hope this helps, Jan