Date: Fri, 16 Mar 2018 15:52:49 -0700 From: Gordon Tetlow <gordon@tetlows.org> To: freebsd-security <freebsd-security@freebsd.org> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-18:03.speculative_execution Message-ID: <CAKghNw1ApNsawJ8ZksMvHFDJ%2B5RnW-9JhoYwFo5xmHhG092YWg@mail.gmail.com> In-Reply-To: <20180314042924.E880D1128@freefall.freebsd.org> References: <20180314042924.E880D1128@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I want to send a follow up on what's going on with the Spectre/Meltdown. I know we have been pretty silent on this recently as the work has been ongoing in the background. Info about the current patch ============================ What we have so far is CURRENT, 11-STABLE, and 11.1-RELEASE on amd64 now covered with Meltdown. No user interaction is needed to use PTI as it is on by default. If you don't want to pay the performance cost, you should put vm.pmap.pti=0 into your loader.conf. Spectre V2 coverage requires work on the user to enable. This isn't clear in the SA, so I will likely issue a revision to show what is needed. Spectre V2 is mitigated via IBRS if the user has all of the following: - Installed the 11.1-RELEASE-p8 update - Installed an updated microcode for the CPU to support IBRS - Changed the sysctl hw.ibrs_disable to 0 The microcode can be installed either via a BIOS update (assuming your manufacturer has issued one including updated microcode) or via the sysutils/devcpu-data port/pkg. This was just updated to 1.16 to include the required microcode for many microarchitectures (but not all). The only way to tell for sure is to look at dmesg for: Structured Extended Features3 which should contain IBPB and STIBP if the CPU supports IBRS. If all of these conditions are true, check the sysctl hw.ibrs_active to see if IBRS is turned on. IBRS is only one way to mitigate the Spectre V2 variant. The other more preferable way, called retpoline, has less performance impact to the system than IBRS. However, the changes are all in the compiler which have yet to be backported and tested with the versions of clang in 11.x and 10.x. We wanted to get something out to allow our users to protect themselves while the retpoline patches are finalized. Bear in mind IBRS may have a significant impact on system performance depending on your CPU family and workload. Users should test to decide if enabling IBRS makes sense for their workload and tolerance for risk. The plan for 10.x ================= As cited in the advisory, we are working on porting the changes to 10.x for amd64. Due to the changes in the vm system between 10.x and 11.x this is a fair bit of work. The plan for i386 ================= i386 is delayed as the changes needed to support PTI are more complicated than they were on amd64. There is a high likelihood we will fix this only in 11.x and the hope is to have it in place for the 11.2 release coming out this summer. Gordon On Tue, Mar 13, 2018 at 9:29 PM, FreeBSD Security Advisories <security-advisories@freebsd.org> wrote: > =========================================================================== > FreeBSD-SA-18:03.speculative_execution Security Advisory > The FreeBSD Project > > Topic: Speculative Execution Vulnerabilities > > Category: core > Module: kernel > Announced: 2018-03-14 > Credits: Jann Horn (Google Project Zero); Werner Haas, Thomas > Prescher (Cyberus Technology); Daniel Gruss, Moritz Lipp, > Stefan Mangard, Michael Schwarz (Graz University of > Technology); Paul Kocher; Daniel Genkin (University of > Pennsylvania and University of Maryland), Mike Hamburg > (Rambus); Yuval Yarom (University of Adelaide and Data6) > Affects: All supported versions of FreeBSD. > Corrected: 2018-02-17 18:00:01 UTC (stable/11, 11.1-STABLE) > 2018-03-14 04:00:00 UTC (releng/11.1, 11.1-RELEASE-p8) > CVE Name: CVE-2017-5715, CVE-2017-5754 > > Special Note: Speculative execution vulnerability mitigation is a work > in progress. This advisory addresses the most significant > issues for FreeBSD 11.1 on amd64 CPUs. We expect to update > this advisory to include 10.x for amd64 CPUs. Future FreeBSD > releases will address this issue on i386 and other CPUs. > freebsd-update will include changes on i386 as part of this > update due to common code changes shared between amd64 and > i386, however it contains no functional changes for i386 (in > particular, it does not mitigate the issue on i386).
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAKghNw1ApNsawJ8ZksMvHFDJ%2B5RnW-9JhoYwFo5xmHhG092YWg>