From owner-freebsd-security@freebsd.org  Wed May 15 15:06:50 2019
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 709DF1594E8E
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Wed, 15 May 2019 15:06:50 +0000 (UTC)
 (envelope-from markjdb@gmail.com)
Received: from mail-io1-xd2a.google.com (mail-io1-xd2a.google.com
 [IPv6:2607:f8b0:4864:20::d2a])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 8C9A88F725;
 Wed, 15 May 2019 15:06:49 +0000 (UTC)
 (envelope-from markjdb@gmail.com)
Received: by mail-io1-xd2a.google.com with SMTP id x24so2491930ion.5;
 Wed, 15 May 2019 08:06:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=sender:date:from:to:cc:subject:message-id:references:mime-version
 :content-disposition:in-reply-to:user-agent;
 bh=UaLc0NKzFnPvO34QO92Vtsu+IX2+6mPv8SaAdmx2VZg=;
 b=qNLyUnKdLlj0b/N5KqwgiVeZsZSaM78TrINsAnKb7GO6rUEivpSDOcua7eQzli//Xt
 OwiTbttLqC8S9L1Gi+mz1VB/ECaJUoBpV2tS7vvVwQUPHNSRN86XR+cfFku/Ntg1CS7d
 T5cFJMtImbFip2CdvwfrLYfkSmEdWQOVq88wRLmubuke9JG9euTD5C9Z8nwwHpM1YynQ
 s0aKDW9/ybO95Otv0aHGAozbO4kOeHJaw4zxZNiW2VVK0UzTKBtrWqWsl7oClEdMvMLf
 z6JQ9hMQD1/GAd9xKFHc7JjxwkFxRtA9MBR64UmFcXa2vPHcA1uDduloG4VnJrkgoDiI
 tthQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:sender:date:from:to:cc:subject:message-id
 :references:mime-version:content-disposition:in-reply-to:user-agent;
 bh=UaLc0NKzFnPvO34QO92Vtsu+IX2+6mPv8SaAdmx2VZg=;
 b=aOONROSCXFQiV0aD1c9p7MsVOPv9coB21C/N+60Gtk4qcFWMn74ddihKG5C1z/AuUk
 OtXfAj1TK0UDosl/5GsL/Y53p+bk2WVd4fRDbnnHjZtZi9C06yadm3hF/68JijaaSSjn
 Y3mUOAFrz25LtSBsq167uzC22XPz3MdbBK3fwJZFGOkVMqQIwturkXf27CDg3EKk0Orb
 EhTbmOJyLWKYvQv60vcaMZE5Sx8nIf0oqdsH9OiyFh5NCk6JRGuFFqSQDi4DfZBCixRR
 eOjKJFCUdJ90Kregqhd5R7lNYmnwTlTauk7Z1hgUSDmnwc9p80shP8boZD/0x/YfJmg9
 cZtw==
X-Gm-Message-State: APjAAAUQJR4+IhTq3a1hkvAgUPETNv+O1koNd+Z92PJdhNoBGTb9m5+9
 ZyDnBy4EFR0j7Z0L6XznQRO4KPRI
X-Google-Smtp-Source: APXvYqyWrlZwPRbfUsdMQ8e3x7U1SFAViylADzmwdvewGeIA9P2zRBSZHCX77OVkak1/7EMDxOF/jw==
X-Received: by 2002:a5d:8055:: with SMTP id b21mr19846238ior.241.1557932808076; 
 Wed, 15 May 2019 08:06:48 -0700 (PDT)
Received: from raichu (toroon0560w-lp140-01-69-159-36-31.dsl.bell.ca.
 [69.159.36.31])
 by smtp.gmail.com with ESMTPSA id y13sm731550iol.68.2019.05.15.08.06.46
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Wed, 15 May 2019 08:06:47 -0700 (PDT)
Sender: Mark Johnston <markjdb@gmail.com>
Date: Wed, 15 May 2019 11:06:42 -0400
From: Mark Johnston <markj@freebsd.org>
To: Kyle Evans <kevans@freebsd.org>
Cc: mike tancsa <mike@sentex.net>, "Wall, Stephen" <stephen.wall@redcom.com>,
 "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-19:07.mds
Message-ID: <20190515150642.GA62210@raichu>
References: <20190515000302.44CBB1AB79@freefall.freebsd.org>
 <cdf6982694db447985b15e9170256fe5@exch-02.redcom.com>
 <31b178d5-9998-d2a3-cc4c-d3f7d574743a@sentex.net>
 <CACNAnaHirOChx2NJstuqs8QD17Mzn2dyvrK0hogGaADK0-F_xg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CACNAnaHirOChx2NJstuqs8QD17Mzn2dyvrK0hogGaADK0-F_xg@mail.gmail.com>
User-Agent: Mutt/1.11.4 (2019-03-13)
X-Rspamd-Queue-Id: 8C9A88F725
X-Spamd-Bar: -----
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=gmail.com header.s=20161025 header.b=qNLyUnKd;
 spf=pass (mx1.freebsd.org: domain of markjdb@gmail.com designates
 2607:f8b0:4864:20::d2a as permitted sender) smtp.mailfrom=markjdb@gmail.com
X-Spamd-Result: default: False [-5.69 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[];
 R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36];
 RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+];
 MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com];
 NEURAL_HAM_SHORT(-0.98)[-0.980,0];
 FORGED_SENDER(0.30)[markj@freebsd.org,markjdb@gmail.com];
 RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
 IP_SCORE(-3.00)[ip: (-9.41), ipnet: 2607:f8b0::/32(-3.26), asn: 15169(-2.27),
 country: US(-0.06)]; FREEMAIL_ENVFROM(0.00)[gmail.com];
 ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025];
 FROM_NEQ_ENVFROM(0.00)[markj@freebsd.org,markjdb@gmail.com];
 FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain];
 DMARC_NA(0.00)[freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[];
 RCVD_IN_DNSWL_NONE(0.00)[a.2.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org
 : 127.0.5.0]; MID_RHS_NOT_FQDN(0.50)[]
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 15 May 2019 15:06:50 -0000

On Wed, May 15, 2019 at 09:33:50AM -0500, Kyle Evans wrote:
> On Wed, May 15, 2019 at 8:33 AM mike tancsa <mike@sentex.net> wrote:
> >
> > On 5/15/2019 8:18 AM, Wall, Stephen wrote:
> > >> New CPU microcode may be available in a BIOS update from your system vendor,
> > >> or by installing the devcpu-data package or sysutils/devcpu-data port.
> > >> Ensure that the BIOS update or devcpu-data package is dated after 2014-05-14.
> > >>
> > >> If using the package or port the microcode update can be applied at boot time
> > >> by adding the following lines to the system's /boot/loader.conf:
> > >>
> > >> cpu_microcode_load="YES"
> > >> cpu_microcode_name="/boot/firmware/intel-ucode.bin"
> > > Is this applicable in a virtualized environment, or only on bare metal?
> > > If not applicable in a VM, is it at least harmless?
> >
> >
> > Actually, just tried this on RELENG_11 (r347613)  and I get
> >
> > don't know how to load module '/boot/firmware/intel-ucode.bin'
> >
> > In boot/loader.conf I have
> >
> > cpu_microcode_load="YES"
> > cpu_microcode_name="/boot/firmware/intel-ucode.bin"
> >
> > # ls -l /boot/firmware/intel-ucode.bin
> > -rw-r--r--  1 root  wheel  uarch 2571264 May 15 08:47
> > /boot/firmware/intel-ucode.bin
> >
> > # sha256 /boot/firmware/intel-ucode.bin
> > SHA256 (/boot/firmware/intel-ucode.bin) =
> > 1fdb3a25467d285394eded8039ee8ab488f074903654981d35a4cdfe6ebf12fc
> >
> 
> r337715 + r337716 were responsible for making this work, and they've
> not yet been MFC'd as far as I can tell. CC markj@, because that's
> probably good to sneak in soon.

I'm working on this.  In any case, 11.2 doesn't have and won't get
boot-time microcode update support, so an updated SA with instructions
for 11 will be released shortly.