From owner-freebsd-security@freebsd.org Fri Jul 12 19:33:38 2019 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D7F7515D4A91 for ; Fri, 12 Jul 2019 19:33:37 +0000 (UTC) (envelope-from walterp@gmail.com) Received: from mail-io1-xd29.google.com (mail-io1-xd29.google.com [IPv6:2607:f8b0:4864:20::d29]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 711E189140 for ; Fri, 12 Jul 2019 19:33:36 +0000 (UTC) (envelope-from walterp@gmail.com) Received: by mail-io1-xd29.google.com with SMTP id f4so22834733ioh.6 for ; Fri, 12 Jul 2019 12:33:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=KV8O9mJR7mbfzTCFns464fZJk34wtRua9Pix+D1g8gc=; b=CLG1qh1cOfBGh9lBpl9RReJQbf11/NO9cRVGztGJa2MAP+Xo+p5eEuLGnmUnyAMx20 qwCO2nSbU8UX3jBPRPgKvlhznT/D97KvL/EDm0vY0zH2xgBCvXPGDgHQxJrbuVE/RA4e vOcms3KRm62DRnDV70hexXdRGSf9F4n05mTLfIDWyKbV6Gf7aBd/c3Ntxj9bzzGAI0ZF neWmPZ6cmX+WP06BuU5GqCvXMvT4zv0Rgbt9F2zgvyC3ets34kcloa9cC1V0SQW7jaek 80tOnbKZvRtHNGamWxF//kNceZfZyJAYp/kAtnMuDwedtEl1puZWud6ZzfywVII2ibBE 7zAA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=KV8O9mJR7mbfzTCFns464fZJk34wtRua9Pix+D1g8gc=; b=oRXtq6i8DrmkK4XO6UXKfZ6Oli2YTmVcTf+dBfHYytaV6tfk6dcucwfTtaGTltcQcQ lC3eZ7mUiwVQyfu0WtlP+s2nzpn+oBH4+x0LrNMp5ZPNLpsFU5iHMaQXCnpFmaw/2jK8 cSIsqoUbKMVWRgboJRU7WCY53ooQQwGObnAk42VdHvGydlvH9ftyucLV/u/ISP+Wavy7 4N9OgkfTziymT/6nm25B5lNRN1OSK2a9n6MaisGskYxh9Lv24NHVJU9XxbbYpipzfgFt D6YRM7OkVGFEaqolcEBNDUFrg6tFbjvHsy4dERNXYynqW+upr2zHplM2TbiEHNBmpYq9 HYSA== X-Gm-Message-State: APjAAAVGlQ8JTGxHpBR/soz9Yg3s1ypTVLTMAGi3zfRICuIk7NoSFf2Y /QCnjqp/GP9O6hmuP0dzrswkwtRKVrVN9F3IogIBVWGX X-Google-Smtp-Source: APXvYqy1Rkz0tuKjtHBvWMj73b9F3rsy5pC4oLvF+TkIH1nXzdcPAsElNrmduk4vQ9tSKZb4kEaPMhBVkSui4V30gfE= X-Received: by 2002:a02:1c0a:: with SMTP id c10mr13744111jac.69.1562960015051; Fri, 12 Jul 2019 12:33:35 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Walter Parker Date: Fri, 12 Jul 2019 12:33:25 -0700 Message-ID: Subject: Re: freebsd-security Digest, Vol 692, Issue 4 To: freebsd-security@freebsd.org X-Rspamd-Queue-Id: 711E189140 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=CLG1qh1c; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of walterp@gmail.com designates 2607:f8b0:4864:20::d29 as permitted sender) smtp.mailfrom=walterp@gmail.com X-Spamd-Result: default: False [-6.58 / 15.00]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; TO_DN_NONE(0.00)[]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-0.77)[-0.767,0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_TLS_LAST(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; IP_SCORE(-2.81)[ip: (-8.35), ipnet: 2607:f8b0::/32(-3.18), asn: 15169(-2.45), country: US(-0.06)]; RCVD_IN_DNSWL_NONE(0.00)[9.2.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jul 2019 19:33:38 -0000 > > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 11 Jul 2019 14:16:17 +0200 > From: peter.blok@bsd4all.org > To: Kevin , freebsd-security@freebsd.org > Subject: Re: FreeBSD MDS Mitigation > Message-ID: > Content-Type: text/plain; charset=utf-8 > > I?m sorry but if you really care about security you have to read the > advisory and stop assuming things. > > For every complaint why this is disabled by default, there will 10 > complaints why it was enabled by default and broke things. > > Having said this, I could see the benefit of reporting the fact that a > certain security measure is disabled in the daily security reports, hoping > someone reads it together with the executables that suddenly have been > setuid for root. > > Peter > > > On 10 Jul 2019, at 18:37, Kevin via freebsd-security < > freebsd-security@freebsd.org> wrote: > > > > Hello list. I am reading this page about FreeBSD security [ > https://vez.mrsk.me/freebsd-defaults.html ] and it says the Intel MDS > mitigation is off by default. So I tried. > > > > % sysctl hw.mds_disable_state > > hw.mds_disable_state: inactive > > > > Now I see the instructions in the advisory, but what about anyone who > didn't? Or who did a new install and didn't read past advisories? > > > > I have an Intel CPU that is vulnerable. By applying the update and > installing the microcode package, I thought I was safe. > > > > Why? Why does FreeBSD let its users be vulnerable? > > _______________________________________________ > > For this specific issue (Intel MDS) there are significant performance issues on older (not 8th or 9th gen) Intel processors. Also, outside of a hosting environment, exploitation and threat/risk are lower. FreeBSD uses the principle of least astonishment, a significant perf drop for systems that are not high risk would have violated this. For people tracking the HyperTreading issue, turning off HyperThreading in the hardware was suggested last year. Walter -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis