Date: Sat, 21 Sep 2024 13:00:08 GMT From: Warner Losh <imp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: b15aff050530 - main - mitigations.7: explain installing firmware + spdx Message-ID: <202409211300.48LD08pV097595@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by imp: URL: https://cgit.FreeBSD.org/src/commit/?id=b15aff050530a791262e166ee0c8fed3a118e7d6 commit b15aff050530a791262e166ee0c8fed3a118e7d6 Author: Alexander Ziaee <concussious@runbox.com> AuthorDate: 2024-09-15 01:23:52 +0000 Commit: Warner Losh <imp@FreeBSD.org> CommitDate: 2024-09-21 12:56:03 +0000 mitigations.7: explain installing firmware + spdx MFC after: 3 days Reported by: imp (ucode is for security) Reported by: emaste (ucode is not minix) Reported by: delphij (please ucode asap) Reviewed by: imp Pull Request: https://github.com/freebsd/freebsd-src/pull/1411 --- share/man/man7/mitigations.7 | 48 +++++++++++++++++++++++++++++++++----------- 1 file changed, 36 insertions(+), 12 deletions(-) diff --git a/share/man/man7/mitigations.7 b/share/man/man7/mitigations.7 index 75decbe2d026..fceaa21a67ea 100644 --- a/share/man/man7/mitigations.7 +++ b/share/man/man7/mitigations.7 @@ -1,3 +1,6 @@ +.\"- +.\" SPDX-License-Identifer: BSD-2-Clause +.\" .\" Copyright © 2023 The FreeBSD Foundation .\" .\" This documentation was written by Ed Maste <emaste@freebsd.org>, and @@ -41,6 +44,7 @@ or per-process basis, some are optionally enabled or disabled at compile time, and some are inherent to the implementation and have no controls. .Pp The following vulnerability mitigations are covered in this document: +.Pp .Bl -bullet -compact .It Address Space Layout Randomization (ASLR) @@ -59,9 +63,11 @@ Stack Overflow Protection .It Supervisor Mode Memory Protection .It -Hardware Vulnerability Mitigation Controls -.It Capsicum +.It +Firmware and Microcode +.It +Architectural Vulnerability Mitigations .El .Pp Please note that the effectiveness and availability of these mitigations may @@ -332,18 +338,14 @@ kernel. .Pp These features are automatically used by the kernel. There is no user-facing configuration. -.Ss Hardware vulnerability controls -See -.Xr security 7 -for more information. .\" .Ss Capsicum Capsicum is a lightweight OS capability and sandbox framework. See .Xr capsicum 4 for more information. -.Pp .Sh HARDWARE VULNERABILITY MITIGATIONS +.Ss Firmware and Microcode Recent years have seen an unending stream of new hardware vulnerabilities, notably CPU ones generally caused by detectable microarchitectural side-effects of speculative execution which leak private data from some other thread or @@ -351,18 +353,36 @@ process or sometimes even internal CPU state that is normally inaccessible. Hardware vendors usually address these vulnerabilities as they are discovered by releasing microcode updates, which may then be bundled into platform firmware updates -.Pq historically called BIOS updates for PCs . +.Pq historically called BIOS updates for PCs +or packages to be updated by the operating system at boot time. +.Pp +Platform firmware updates, if available from the manufacturer, +are the best defense as they provide coverage during early boot. +Install them with +.Pa sysutils/flashrom +from the +.Fx +Ports Collection. +.Pp +If platform firmware updates are no longer available, +packaged microcode is available for installation at +.Pa sysutils/cpu-microcode +and can be loaded at runtime using +.Xr loader.conf 5 , +see the package message for more details. .Pp The best defense overall against hardware vulnerabilities is to timely apply -these updates when available and to disable the affected hardware's problematic -functionalities when possible (e.g., CPU Simultaneous Multi-Threading). +these updates when available, as early as possible in the boot process, +and to disable the affected hardware's problematic functionalities when possible +(e.g., CPU Simultaneous Multi-Threading). Software mitigations are only partial substitutes for these, but they can be helpful on out-of-support hardware or as complements for just-discovered vulnerabilities not yet addressed by vendors. Some software mitigations depend on hardware capabilities provided by a microcode update. -.Pp -FreeBSD's usual policy is to apply by default all OS-level mitigations that do +.Ss Architectural Vulnerability Mitigations +.Fx Ap s +usual policy is to apply by default all OS-level mitigations that do not require recompilation, except those the particular hardware it is running on is known not to be vulnerable to .Pq which sometimes requires firmware updates , @@ -451,6 +471,10 @@ should be considered when configuring and deploying them in a .Fx system. .Pp +Additional mitigation knobs are listed in the +.Sx KNOBS AND TWEAKS +section of +.Xr security 7 . .Sh SEE ALSO .Xr elfctl 1 , .Xr proccontrol 1 ,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202409211300.48LD08pV097595>