Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 18 Mar 2018 18:54:08 +0100
From:      Jan Demter <jan-mailinglists@demter.de>
To:        Andrea Venturoli <ml@netfence.it>, freebsd-security@freebsd.org
Subject:   Re: FreeBSD Security Advisory FreeBSD-SA-18:03.speculative_execution
Message-ID:  <8deba9d2-17b5-9088-1766-42f9e334df89@demter.de>
In-Reply-To: <337d9fd4-2aa4-609a-6a00-e9ce2be599cc@netfence.it>
References:  <20180314042924.E880D1128@freefall.freebsd.org> <337d9fd4-2aa4-609a-6a00-e9ce2be599cc@netfence.it>

next in thread | previous in thread | raw e-mail | index | archive | help
Hi Andrea!

Am 16.03.18 um 17:11 schrieb Andrea Venturoli via freebsd-security:
> On 03/14/18 05:29, FreeBSD Security Advisories wrote:
>> # sysctl vm.pmap.pti
>> vm.pmap.pti: 1
> 
> Of course I find this enabled on the Intel box and not on the AMD one, 
> but... is PTI in any way affected by a microcode update from Intel?

 From what I have read so far, I'm pretty certain it isn't planned or 
even possible to patch this via a microcode update.

>> IBRS can be disabled via the hw.ibrs_disable sysctl (and tunable), and 
>> the
>> status can be checked via the hw.ibrs_active sysctl.  IBRS may be 
>> enabled or
>> disabled at runtime.  Additional detail on microcode updates will follow.
> 
> None of the two box seems to have this enabled; on both I see:
>> # sysctl -a|grep ibrs
>> hw.ibrs_disable: 1
>> hw.ibrs_active: 0
> 
> Does this mean both machine don't have a good enough microcode or is 
> just IBRS not enabled by default?

IBRS does not seem to be enabled by default:
https://reviews.freebsd.org/rS328625
"For existing processors, you need a microcode update which adds IBRS
CPU features, and to manually enable it by setting the tunable/sysctl
hw.ibrs_disable to 0."

> In the first case, I tried finding some information on what microcode is 
> available for what CPU (I'm interested in several other ones, not only 
> these two), but failed. Has anyone a pointer?

For Intel CPUs, there's this list:
https://newsroom.intel.com/wp-content/uploads/sites/11/2018/03/microcode-update-guidance.pdf

> Last question: am I right that devcpu-data is nowaday useless (read no 
> microcode update anyway) unless this update to base is also installed?

The microcode update itself will work, if that is what you meant, but 
just updating the microcode and not FreeBSD is useless to mitigate 
Spectre V2.

Hope this helps,
Jan



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8deba9d2-17b5-9088-1766-42f9e334df89>