Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 18 Mar 2018 22:47:49 -0400
From:      Ed Maste <emaste@freebsd.org>
To:        Jan Demter <jan-mailinglists@demter.de>
Cc:        Andrea Venturoli <ml@netfence.it>, freebsd-security@freebsd.org
Subject:   Re: FreeBSD Security Advisory FreeBSD-SA-18:03.speculative_execution
Message-ID:  <CAPyFy2CGkXNW3coq_D4a1SLAuOAUh-tVb6Z7_YB1kQ0830Oo6Q@mail.gmail.com>
In-Reply-To: <8deba9d2-17b5-9088-1766-42f9e334df89@demter.de>
References:  <20180314042924.E880D1128@freefall.freebsd.org> <337d9fd4-2aa4-609a-6a00-e9ce2be599cc@netfence.it> <8deba9d2-17b5-9088-1766-42f9e334df89@demter.de>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 18 March 2018 at 13:54, Jan Demter <jan-mailinglists@demter.de> wrote:
> Hi Andrea!
>
> Am 16.03.18 um 17:11 schrieb Andrea Venturoli via freebsd-security:
>>
>> On 03/14/18 05:29, FreeBSD Security Advisories wrote:
>>>
>>> # sysctl vm.pmap.pti
>>> vm.pmap.pti: 1
>>
>> Of course I find this enabled on the Intel box and not on the AMD one,
>> but... is PTI in any way affected by a microcode update from Intel?
>
> From what I have read so far, I'm pretty certain it isn't planned or even
> possible to patch this via a microcode update.

That is correct. Meltdown won't ever be fixed with a microcode update
as far as we know, and no microcode update is required for the PTI
mitigation.

There's one small wrinkle: there are some recent lower-end processors
(at least some recent Celerons) which it seems are not susceptible to
Meltdown, and after a microcode update will set a bit to indicate
this. In that case a microcode update will cause FreeBSD to switch
from enabling PTI to disabling it by default -- but that CPU is not
affected by Meltdown, with or without the update.

> IBRS does not seem to be enabled by default:
> https://reviews.freebsd.org/rS328625
> "For existing processors, you need a microcode update which adds IBRS
> CPU features, and to manually enable it by setting the tunable/sysctl
> hw.ibrs_disable to 0."

That is true. Further, we expect the compiler-based retpoline to be
the usual mitigation used for Spectre V2, for CPUs before Skylake.
Development work for this is still ongoing in -CURRENT.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPyFy2CGkXNW3coq_D4a1SLAuOAUh-tVb6Z7_YB1kQ0830Oo6Q>