From owner-freebsd-security@freebsd.org Mon Jan 8 17:57:56 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 006E8E7B032 for ; Mon, 8 Jan 2018 17:57:56 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mail-qt0-x235.google.com (mail-qt0-x235.google.com [IPv6:2607:f8b0:400d:c0d::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B751E697B7 for ; Mon, 8 Jan 2018 17:57:55 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mail-qt0-x235.google.com with SMTP id d4so14631852qtj.5 for ; Mon, 08 Jan 2018 09:57:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=google; h=date:from:to:subject:message-id:mime-version:content-disposition :user-agent; bh=lvdtn81VOnpb4kfHxbs+xjis55SlkztlzWtjhJTI460=; b=aKPoPqNfAlrvacymwNcO+PHmmjmVyjRWCjQ7WSMnFBlqIvFKrkMB7Srzv9qyTwZRNr dMglyDm8CpOxKdc0Z9xYsQqFmSf1p1vg4Kt3RmyYfwekZz6N+tlRHydfybr8nWk10FCB 7O5fx1EPwNl6/h9eOnvH1uAeNUOrYPmmV68dA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:mime-version :content-disposition:user-agent; bh=lvdtn81VOnpb4kfHxbs+xjis55SlkztlzWtjhJTI460=; b=VodGtrj03neaJScKsxpmENOHqyZ11ApeNWjN3CPNzAfqb7StJ6HPGUQJF/tA5dSJS7 Wz5eABafzpXIMXrlO++eODrKwd+E+q/KWNIW0ygo8fRyzNMTDAJDbAWRgh6qwzLDBElH 7euWZZm3PkHJYjDTMaS1Bbj08wKZklb/n4pEI74iToGlgShtvjnJn3xrnFEwQz3Kfiob XvufBVuSStv8NYKbxNaqOHkfHIzdK0XegbKIZpZ+pJVviStmu1UJtgwOBkIVlfAcwtGh ssVexGE2y44pgEgyZAxizIzS2JcasSthbuDYriOtQKZKc1RT3Sca8EUGgKAwAB2E+XkI Pg/g== X-Gm-Message-State: AKwxytfoJdC7RrW/RKY6kTyLa/y0UMkRp8+Jg0Ep9S0o+5sp3Ck1RVIZ BcmhoA/jLKrPOOLA1cQn8m76/Axomg== X-Google-Smtp-Source: ACJfBouvH9/cjBK0rWpRVRtk5Y0ol5Cs4AxuElZRaR9bbPuk/+ME8O2PnvRcz7lJTZhJJn96y54pDQ== X-Received: by 10.237.41.231 with SMTP id o94mr17826302qtd.184.1515434274369; Mon, 08 Jan 2018 09:57:54 -0800 (PST) Received: from gmail.com ([2607:fc50:0:7900:0:dead:beef:cafe]) by smtp.gmail.com with ESMTPSA id v29sm1550954qkv.40.2018.01.08.09.57.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 08 Jan 2018 09:57:53 -0800 (PST) Date: Mon, 8 Jan 2018 09:57:51 -0800 From: Gordon Tetlow To: freebsd-security@freebsd.org Subject: Response to Meltdown and Spectre Message-ID: <20180108175751.GH9701@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="ZNotpC0yWfjHZxBL" Content-Disposition: inline User-Agent: Mutt/1.9.1 (2017-09-22) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jan 2018 17:57:56 -0000 --ZNotpC0yWfjHZxBL Content-Type: text/plain; charset=us-ascii Content-Disposition: inline By now, we're sure most everyone have heard of the Meltdown and Spectre attacks. If not, head over to https://meltdownattack.com/ and get an overview. Additional technical details are available from Google Project Zero. https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html The FreeBSD Security Team was notified of the issue in late December and received a briefing under NDA with the original embargo date of January 9th. Since we received relatively late notice of the issue, our ability to provide fixes is delayed. Meltdown (CVE-2017-5754) ~~~~~~~~~~~~~~~~~~~~~~~~ In terms of priority, the first step is to mitigate against the Meltdown attack (CVE-2017-5754, cited as variant 3 by Project Zero). Work for this is ongoing, but due to the relatively large changes needed, this is going to take a little while. We are currently targeting patches for amd64 being dev complete this week with testing probably running into next week. From there, we hope to give it a short bake time before pushing it into the 11.1-RELEASE branch. Additional work will be required to bring the mitigation to 10.3-RELEASE and 10.4-RELEASE. The code will be selectable via a tunable which will automatically turn on for modern Intel processors and off for AMD processors (since they are reportedly not vulnerable). Since the fix for Meltdown does incur a performance hit for any transition between user space and kernel space, this could be rather impactful depending on the workload. As such, the tunable can also be overridden by the end-user if they are willing to accept the risk. Initial work can be tracked at https://reviews.freebsd.org/D13797. Please note this is a work in progress and some stuff is likely to be broken. Spectre (CVE-2017-5753 and CVE-2017-5715) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ When it comes to the Spectre vulnerabilities, it is much harder to sort these out. Variant 1 (CVE-2017-5753) is going to require some static analysis to determine vulnerable use cases that will require barriers to stop speculation from disclosing information it shouldn't. While we haven't done the analysis to determine where we are vulnerable, the number of cases here are supposed to be pretty small. Apparently there have been some Coverity rules developed to help look for these, but we are still evaluating what can be done here. The other half of Spectre, variant 2 (CVE-2017-5715) is a bit trickier as it affects both normal processes and bhyve. There is a proposed patch for LLVM (https://reviews.llvm.org/D41723) that introduces a concept called 'retpoline' which mitigates this issue. We are likely to pull this into HEAD and 11-STABLE once it hits the LLVM tree. Unfortunately, the currently supported FreeBSD releases are using older versions of LLVM for which we are not sure the LLVM project will produce patches. We will be looking at the feasibility to backport these patches to these earlier versions. There are CPU microcode fixes coming out when in concert with OS changes would also help, but that's a bit down the road at the moment. If anything significantly changes I will make additional posts to clarify as the information becomes available. Best regards, Gordon Tetlow with security-officer hat on --ZNotpC0yWfjHZxBL Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGTBAABCgB9FiEEuyjUCzYO7pNq7RVv5fe8y6O93fgFAlpTsQhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEJC MjhENDBCMzYwRUVFOTM2QUVEMTU2RkU1RjdCQ0NCQTNCRERERjgACgkQ5fe8y6O9 3fiijQf7BY4QyGyjmib2oDXVvX0pyKkGfe8RYSB0bTnUvc/SJIB/IOgd4LXA8xAy ue76Euezh9uLwMVdppKBr9seZkfD5FWCDVgUN0fGH1QWGxCmqqA7JkeIvp0ImGpm +Kw4Etc7kjN67vmjyJlHIwhmC26iwPS9tmdyrr4mvIDZRBP70mwjqKLcxiDHxNsP STta0+MjAqs2feMCpI7zZd+CQI7p1FyiDU48dnnQTMIKoOxZjfDfa4Axea8JRhJA 0306c7CpUj20jVwAGHCrS3R65z8qxSbWqbyOWmIb0bDoI8q60Oi5D3lS6XkEwh/v 5duL1oOGqcUqqWWs+FU/soVEryu+SA== =6Y+Y -----END PGP SIGNATURE----- --ZNotpC0yWfjHZxBL--