From owner-freebsd-security@freebsd.org Tue Jan 16 17:50:11 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2F8D6E7DB2F for ; Tue, 16 Jan 2018 17:50:11 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-wr0-x22d.google.com (mail-wr0-x22d.google.com [IPv6:2a00:1450:400c:c0c::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B3C0512D6 for ; Tue, 16 Jan 2018 17:50:10 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-wr0-x22d.google.com with SMTP id g38so12928706wrd.2 for ; Tue, 16 Jan 2018 09:50:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=yvccgUAtjr5Q2LTA8vrD0ACBYfQWH6wyB64Ah/QEDYE=; b=NWTyT4/b1GwSGOVk/1C+pO4nLu/Bv7Pb1lb75tEG4p3t6T8k1YCk35/eqB0nUoYtvJ WKcrw+kC/Bf12LYghqNgYEp2PchYQJwdpMQ+2GI0h7ahiYkw/wqG1tQbYTMQl5eh545o Ayn6/MEsXLUAdIVqUZflfLaCuGKNgYvMMuP8JgFa+MX/zcLD2GlUuxGqrHRRaLT6/9Tu vEzN4GiER4K2eeuiwtXlgzqBChFCEI5ARzhwkFkDOtEeneG7Z7hOImTg3xXcfnoWRMfz QCrY7k39Y1dY4F71eO//SVjoz7cp/8R07URyMx39b/YxsRduKqrDa1MEPOMfJ6D1oqAP gyig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=yvccgUAtjr5Q2LTA8vrD0ACBYfQWH6wyB64Ah/QEDYE=; b=jO9MuRgWqbpgvB5cYhuM5m7Zomus44v3HOZO66lbFX1yG9kza5J+fQ3Fxm2IhEbJz/ Ll303IWML4PRm3UJpqIEtY0rwOHv+12lxxCu7zfo69iiGkEsQ0sN0IHlRCTOaZnz3igs gdY+MZafNjs/4Gy3QPr/fNnDbMOyj4s53GBrHz0h+in1GxAL1Xe6rUZjVoIf3xu7E/CI 83DdPoUt1oCch/mWznpvUssdl1MWxLSZ4NcjlLVzMOhlYu9O2+Uy2GnNRWybWN1q7Hew KWrhh0C6A9ZTddyH+Lu3XMVee30QMRTq5+/kZlMoR9eiIVObAUUHniUeRggmTrPt/YjW 2owg== X-Gm-Message-State: AKwxytckDrE/lbpxl5ILgtaU/N4mMEt3bZFvHpH7JSvCzXIIC9DUK4QY F3n6NIWpRlCL+q9YSpdf3/czfr5TaWM= X-Google-Smtp-Source: ACJfBouyeAel7dRU9cPKzyb1fAAJlwLerSGLhlbJzkL3kKcQPzu0VI43VkJAppCL79IerSeUmKJWZg== X-Received: by 10.223.176.79 with SMTP id g15mr28871wra.34.1516125009059; Tue, 16 Jan 2018 09:50:09 -0800 (PST) Received: from mutt-hbsd ([216.218.222.12]) by smtp.gmail.com with ESMTPSA id k35sm2794432wrc.2.2018.01.16.09.50.05 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 16 Jan 2018 09:50:08 -0800 (PST) Date: Tue, 16 Jan 2018 12:49:52 -0500 From: Shawn Webb To: Cy Schubert Cc: "freebsd-security@freebsd.org" Subject: Re: VMware pulling Intel specter patches Message-ID: <20180116174952.n7asjhyw66fnkicu@mutt-hbsd> References: <20180116171745.0BD75181E@spqr.komquats.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="uslwilkkwq3qkf6z" Content-Disposition: inline In-Reply-To: <20180116171745.0BD75181E@spqr.komquats.com> X-Operating-System: FreeBSD mutt-hbsd 12.0-CURRENT FreeBSD 12.0-CURRENT X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: NeoMutt/20171208 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Jan 2018 17:50:11 -0000 --uslwilkkwq3qkf6z Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 16, 2018 at 09:18:47AM -0800, Cy Schubert wrote: > Might we be jumping the gun with updated firmware in devcpu-data? >=20 > https://www.reddit.com/r/sysadmin/comments/7qjnfx/vmware_pulled_spectre_p= atches_on_friday/ =46rom what I understand, the new Intel microcode only makes sense if retpoline is used. On Skylake and above, retpoline by itself isn't 100% effective against Spectre. On those systems, retpoline requires the new Intel microcode update along with enabling the new IBRS feature that comes with it. Simply updating the microcode on Intel systems doesn't really do much on its own. Granted, I could have misread and be completely wrong. Please let me know if I am. Thanks, --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD Tor-ified Signal: +1 443-546-8752 GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --uslwilkkwq3qkf6z Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAlpeOzwACgkQaoRlj1JF bu78pQ/+JIEQeIEFms2BQZTlt0AeU3noBicJGnIrHB34RxtOXac2A50d1JVcEMKl MiFVqpMlQwF3PCgHqSlg9CHKax9c4MRKV36oyVhhSS5qA/f4JOTZ8G7zSDh1/8aN TTs+dMfK7MFw9oQ1mAacC3/tpMuD+6rDnMlYhaP2mxHxzhIuaCU3zspzpfTIvrJ1 fV67YaSAcE3XCOIlXuQAqVIRZbJ1/zMOvr+AYn07ssvYEoEWjeqDHJORFiIrlkyA NiTSE808tSQctcSgPa57zHR4M+Yb/85naUvG/c27axXOgMBn4An1XL3stXU6Eh7o 41XYPIIoSx83N5+2t48cVAD1u/EKOJP3BCdCaaZaXj6bAHx6s11yBxnBb6M5e4mG pbyfoHZ6o+UJzO3g3fUYzjbnwRkQgJNybK0L7QxmN3f3KXn8d9TdC1mMVOjJMo7n 4NKElZR6nBTmITY7F1YpA6q5tXMsaYDOVNS3b3Dvm05huimo6pOswa9lULjaL69Q 9hSo5GmxPKBVCrJ5Ij4+kHr0rvlkV8BtNU2WO0mbaWtXNLBx43g2zn7FKnkq3TiL S3E76xps6FhUmjfN9N0B5MJnn8ecOj24qzQcwhEbMi9m8CpjbtVWvrcmkM/nRv2y qGcO+/P6L2oxBLmOt7igNkUJxA1PTfFZazcFZL5y9J/dK5gYvhQ= =3ChP -----END PGP SIGNATURE----- --uslwilkkwq3qkf6z--