From owner-freebsd-questions@freebsd.org Mon Jan 8 18:11:42 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B7772E7C066 for ; Mon, 8 Jan 2018 18:11:42 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from kicp.uchicago.edu (kicp.uchicago.edu [128.135.20.70]) by mx1.freebsd.org (Postfix) with ESMTP id 818066A901 for ; Mon, 8 Jan 2018 18:11:41 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from point.uchicago.edu (point.uchicago.edu [128.135.52.6]) by kicp.uchicago.edu (Postfix) with ESMTP id B908F718054; Mon, 8 Jan 2018 12:11:40 -0600 (CST) Subject: =?UTF-8?Q?Re:_Meltdown_=e2=80=93_Spectre?= To: Aryeh Friedman , Baho Utot Cc: FreeBSD Mailing List References: <3AECDC7F-8838-4C09-AC7F-117DFBAA326C@sigsegv.be> <20180108085756.GA3001@c720-r314251> <48211515-cc6b-522b-ccd2-4d0c1f6a2072@columbus.rr.com> From: Valeri Galtsev Message-ID: Date: Mon, 8 Jan 2018 12:11:40 -0600 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jan 2018 18:11:42 -0000 On 01/08/18 06:37, Aryeh Friedman wrote: > On Mon, Jan 8, 2018 at 7:28 AM, Baho Utot wrote: > >> >> >> On 1/8/2018 4:15 AM, Aryeh Friedman wrote: >> >>> On Mon, Jan 8, 2018 at 3:57 AM, Matthias Apitz wrote: >>> >>> As I side note, and not related to FreeBSD: My Internet server is run by >>>> some webhosting company (www.1blu.de), they use Ubuntu servers and since >>>> yesterday they have shutdown SSH access to the servers argumenting that >>>> they want >>>> protect my (all's) servers against attacks of Meltdown and Spectre. >>>> >>>> Imagine, next time we have to shutdown all IOT gadgets... >>>> >>> >>> >>> Not always possible for things like medical test equipment/devices. For >>> example I maintain a specialized EMR for interacting with Dr. prescribed >>> remote cardiac monitors. Having those off line is not an option since >>> they are used to detect if the patient needs something more serious like a >>> pace maker (also almost always a IoT device these days) surgery. >>> >>> The actual monitoring is done on Windows and was attacked by some >>> ransomeware via a bit coin miner that somehow installed it self. Since >>> all the users claim that they don't read email/upload/download executables >>> or any other of the known attack vectors this leaves something like >>> Meltdown or Spectre. We have also detected issues on the CentOS that has >>> the non-medical corporate site on it. The only machine left on touched >>> on >>> the physical server (running some bare metal virtualization tool) is the >>> FreeBSD machine that runs the actual EMR we wrote. >>> >>> TL;DR -- It seems Linux and Windows already have issues with these holes >>> but I have seen little to no evidence that FreeBSD (when run as a host). >>> In general when ever any virtualization issue (like the bleed through on >>> Qemu last year) comes up FreeBSD is the one OS that seems to be immune >>> (thanks to good design of the OS and bhyve). This is the main reason why >>> I chose FreeBSD over Linux as the reference host for PetiteCloud. >>> >>> >> This is not operating system specific, read the papers on theses two. it >> attacks the cpu, usally through a JIT > > > Please learn a little OS design theory before making insane claims. > Specifically it *ONLY* effects OS's that rely on the specific CPU > architecture (vs. a generic one). Namely if you strictly partition the > page table between userland and kernel space (which xxxBSD has always done > and Linux has not) and don't use any CPU specific instructions to do so > (except for protected vs. unprotected mode in the original 386 design > FreeBSD does not do this while yet again microslut and linux do). > > For more info go read the more technical thread then here in -hackers@ and > -current@. Thanks, Aryeh! Your posts made my day today. Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++