From owner-freebsd-security@freebsd.org Fri Mar 16 16:18:14 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 29BDCF5AFD2 for ; Fri, 16 Mar 2018 16:18:14 +0000 (UTC) (envelope-from ml@netfence.it) Received: from smtp205.alice.it (smtp205.alice.it [82.57.200.101]) by mx1.freebsd.org (Postfix) with ESMTP id 9B1B38745B for ; Fri, 16 Mar 2018 16:18:12 +0000 (UTC) (envelope-from ml@netfence.it) Received: from soth.ventu (79.25.193.209) by smtp205.alice.it (8.6.060.28) id 5AAB0906005D32FD for freebsd-security@freebsd.org; Fri, 16 Mar 2018 17:11:59 +0100 Received: from alamar.ventu (alamar.local.netfence.it [10.1.2.18]) by soth.ventu (8.15.2/8.15.2) with ESMTP id w2GGBqGu008492 for ; Fri, 16 Mar 2018 17:11:53 +0100 (CET) (envelope-from ml@netfence.it) X-Authentication-Warning: soth.ventu: Host alamar.local.netfence.it [10.1.2.18] claimed to be alamar.ventu Subject: Re: FreeBSD Security Advisory FreeBSD-SA-18:03.speculative_execution To: freebsd-security@freebsd.org References: <20180314042924.E880D1128@freefall.freebsd.org> From: Andrea Venturoli Message-ID: <337d9fd4-2aa4-609a-6a00-e9ce2be599cc@netfence.it> Date: Fri, 16 Mar 2018 17:11:47 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <20180314042924.E880D1128@freefall.freebsd.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Mar 2018 16:18:14 -0000 On 03/14/18 05:29, FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > ============================================================================= > FreeBSD-SA-18:03.speculative_execution Security Advisory > ... Hello. After upgrading two machines (one with an AMD Phenom II X4 925, the other with a Pentium 987), I'd like to get just a couple of confirmations... > # sysctl vm.pmap.pti > vm.pmap.pti: 1 Of course I find this enabled on the Intel box and not on the AMD one, but... is PTI in any way affected by a microcode update from Intel? > The patch includes the IBRS mitigation for Spectre V2. To use the mitigation > the system must have an updated microcode; with older microcode a patched > kernel will function without the mitigation. > > IBRS can be disabled via the hw.ibrs_disable sysctl (and tunable), and the > status can be checked via the hw.ibrs_active sysctl. IBRS may be enabled or > disabled at runtime. Additional detail on microcode updates will follow. None of the two box seems to have this enabled; on both I see: > # sysctl -a|grep ibrs > hw.ibrs_disable: 1 > hw.ibrs_active: 0 Does this mean both machine don't have a good enough microcode or is just IBRS not enabled by default? In the first case, I tried finding some information on what microcode is available for what CPU (I'm interested in several other ones, not only these two), but failed. Has anyone a pointer? Last question: am I right that devcpu-data is nowaday useless (read no microcode update anyway) unless this update to base is also installed? bye & Thanks av.