From owner-freebsd-stable@freebsd.org Sat Dec 7 02:13:40 2019 Return-Path: Delivered-To: freebsd-stable@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id DF6C71C34E8 for ; Sat, 7 Dec 2019 02:13:40 +0000 (UTC) (envelope-from li-fbsd@citylink.dinoex.sub.org) Received: from uucp.dinoex.org (uucp.dinoex.sub.de [IPv6:2001:1440:5001:1::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "uucp.dinoex.sub.de", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47VCg76HtSz4HQZ for ; Sat, 7 Dec 2019 02:13:39 +0000 (UTC) (envelope-from li-fbsd@citylink.dinoex.sub.org) Received: from uucp.dinoex.sub.de (uucp.dinoex.org [185.220.148.12]) by uucp.dinoex.org (8.16.0.41/8.16.0.41) with ESMTPS id xB72D5VK062798 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for ; Sat, 7 Dec 2019 03:13:06 +0100 (CET) (envelope-from li-fbsd@citylink.dinoex.sub.org) X-MDaemon-Deliver-To: X-Authentication-Warning: uucp.dinoex.sub.de: Host uucp.dinoex.org [185.220.148.12] claimed to be uucp.dinoex.sub.de Received: from citylink.dinoex.sub.org (uucp@localhost) by uucp.dinoex.sub.de (8.16.0.41/8.16.0.41/Submit) with UUCP id xB72D5ZY062797 for freebsd-stable@FreeBSD.ORG; Sat, 7 Dec 2019 03:13:05 +0100 (CET) (envelope-from li-fbsd@citylink.dinoex.sub.org) Received: from gate.oper.dinoex.org (gate-e [192.168.98.2]) by citylink.dinoex.sub.de (8.15.2/8.15.2) with ESMTP id xB70Gc52094021 for ; Sat, 7 Dec 2019 01:16:38 +0100 (CET) (envelope-from li-fbsd@citylink.dinoex.sub.org) Received: from gate.oper.dinoex.org (gate-e [192.168.98.2]) by gate.oper.dinoex.org (8.15.2/8.15.2) with ESMTP id xB70E1Dl093767 for ; Sat, 7 Dec 2019 01:14:01 +0100 (CET) (envelope-from li-fbsd@citylink.dinoex.sub.org) Received: (from news@localhost) by gate.oper.dinoex.org (8.15.2/8.15.2/Submit) id xB70E1Ts093766 for freebsd-stable@FreeBSD.ORG; Sat, 7 Dec 2019 01:14:01 +0100 (CET) (envelope-from li-fbsd@citylink.dinoex.sub.org) X-Authentication-Warning: gate.oper.dinoex.org: news set sender to li-fbsd@citylink.dinoex.sub.org using -f From: Peter Subject: Re: Disabling speculative execution mitigations Date: Sat, 07 Dec 2019 01:02:59 +0100 Organization: n/a Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Injection-Info: oper.dinoex.de; logging-data="92961"; mail-complaints-to="usenet@citylink.dinoex.sub.org" User-Agent: Opera Mail/12.16 (FreeBSD) Sender: li-fbsd@citylink.dinoex.sub.org To: freebsd-stable@FreeBSD.ORG X-Milter: Spamilter (Reciever: uucp.dinoex.sub.de; Sender-ip: 185.220.148.12; Sender-helo: uucp.dinoex.sub.de; ) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (uucp.dinoex.org [185.220.148.12]); Sat, 07 Dec 2019 03:13:09 +0100 (CET) X-Rspamd-Queue-Id: 47VCg76HtSz4HQZ X-Spamd-Bar: ++++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of li-fbsd@citylink.dinoex.sub.org has no SPF policy when checking 2001:1440:5001:1::2) smtp.mailfrom=li-fbsd@citylink.dinoex.sub.org X-Spamd-Result: default: False [4.41 / 15.00]; ARC_NA(0.00)[]; RCVD_COUNT_FIVE(0.00)[5]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-stable@freebsd.org]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; HAS_ORG_HEADER(0.00)[]; NEURAL_SPAM_MEDIUM(0.89)[0.892,0]; MIME_TRACE(0.00)[0:+]; IP_SCORE(0.34)[ip: (0.90), ipnet: 2001:1440::/32(0.45), asn: 8469(0.36), country: DE(-0.01)]; NEURAL_SPAM_LONG(0.98)[0.975,0]; TO_DN_NONE(0.00)[]; R_SPF_NA(0.00)[]; FORGED_SENDER(0.30)[peter@citylink.dinoex.sub.org,li-fbsd@citylink.dinoex.sub.org]; DMARC_NA(0.00)[sub.org]; R_DKIM_NA(0.00)[]; MID_RHS_NOT_FQDN(0.50)[]; ASN(0.00)[asn:8469, ipnet:2001:1440::/32, country:DE]; FROM_NEQ_ENVFROM(0.00)[peter@citylink.dinoex.sub.org,li-fbsd@citylink.dinoex.sub.org]; RCVD_TLS_LAST(0.00)[] X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Dec 2019 02:13:40 -0000 On Fri, 06 Dec 2019 06:21:04 +0100, O'Connor, Daniel wrote: > vm.pmap.pti="0" # Disable page table isolation > hw.ibrs_disable="1" # Disable Indirect Branch Restricted Speculation > hw.mds_disable="0" # Disable Microarchitectural Data Sampling flush > hw.vmm.vmx="1" # Don't flush RSB on vmexit (presumably only > affects bhyve etc) > hw.lazy_fpu_switch="1" # Lazily flush FPU > > Does anyone know of any others? hw.spec_store_bypass_disable=2 I have that on 11.3 (no idea yet about 12). And honestly, I lost track which of these should be on, off, automatic, opaque or elsewhere to achieve either performance or security (not to mention for which cores and under which circumstances it would matter, and what the impact might be), and my oracle says this will not end with these.