git: b15aff050530 - main - mitigations.7: explain installing firmware + spdx
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 21 Sep 2024 13:00:08 UTC
The branch main has been updated by imp:
URL: https://cgit.FreeBSD.org/src/commit/?id=b15aff050530a791262e166ee0c8fed3a118e7d6
commit b15aff050530a791262e166ee0c8fed3a118e7d6
Author: Alexander Ziaee <concussious@runbox.com>
AuthorDate: 2024-09-15 01:23:52 +0000
Commit: Warner Losh <imp@FreeBSD.org>
CommitDate: 2024-09-21 12:56:03 +0000
mitigations.7: explain installing firmware + spdx
MFC after: 3 days
Reported by: imp (ucode is for security)
Reported by: emaste (ucode is not minix)
Reported by: delphij (please ucode asap)
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1411
---
share/man/man7/mitigations.7 | 48 +++++++++++++++++++++++++++++++++-----------
1 file changed, 36 insertions(+), 12 deletions(-)
diff --git a/share/man/man7/mitigations.7 b/share/man/man7/mitigations.7
index 75decbe2d026..fceaa21a67ea 100644
--- a/share/man/man7/mitigations.7
+++ b/share/man/man7/mitigations.7
@@ -1,3 +1,6 @@
+.\"-
+.\" SPDX-License-Identifer: BSD-2-Clause
+.\"
.\" Copyright © 2023 The FreeBSD Foundation
.\"
.\" This documentation was written by Ed Maste <emaste@freebsd.org>, and
@@ -41,6 +44,7 @@ or per-process basis, some are optionally enabled or disabled at compile time,
and some are inherent to the implementation and have no controls.
.Pp
The following vulnerability mitigations are covered in this document:
+.Pp
.Bl -bullet -compact
.It
Address Space Layout Randomization (ASLR)
@@ -59,9 +63,11 @@ Stack Overflow Protection
.It
Supervisor Mode Memory Protection
.It
-Hardware Vulnerability Mitigation Controls
-.It
Capsicum
+.It
+Firmware and Microcode
+.It
+Architectural Vulnerability Mitigations
.El
.Pp
Please note that the effectiveness and availability of these mitigations may
@@ -332,18 +338,14 @@ kernel.
.Pp
These features are automatically used by the kernel.
There is no user-facing configuration.
-.Ss Hardware vulnerability controls
-See
-.Xr security 7
-for more information.
.\"
.Ss Capsicum
Capsicum is a lightweight OS capability and sandbox framework.
See
.Xr capsicum 4
for more information.
-.Pp
.Sh HARDWARE VULNERABILITY MITIGATIONS
+.Ss Firmware and Microcode
Recent years have seen an unending stream of new hardware vulnerabilities,
notably CPU ones generally caused by detectable microarchitectural side-effects
of speculative execution which leak private data from some other thread or
@@ -351,18 +353,36 @@ process or sometimes even internal CPU state that is normally inaccessible.
Hardware vendors usually address these vulnerabilities as they are discovered by
releasing microcode updates, which may then be bundled into platform firmware
updates
-.Pq historically called BIOS updates for PCs .
+.Pq historically called BIOS updates for PCs
+or packages to be updated by the operating system at boot time.
+.Pp
+Platform firmware updates, if available from the manufacturer,
+are the best defense as they provide coverage during early boot.
+Install them with
+.Pa sysutils/flashrom
+from the
+.Fx
+Ports Collection.
+.Pp
+If platform firmware updates are no longer available,
+packaged microcode is available for installation at
+.Pa sysutils/cpu-microcode
+and can be loaded at runtime using
+.Xr loader.conf 5 ,
+see the package message for more details.
.Pp
The best defense overall against hardware vulnerabilities is to timely apply
-these updates when available and to disable the affected hardware's problematic
-functionalities when possible (e.g., CPU Simultaneous Multi-Threading).
+these updates when available, as early as possible in the boot process,
+and to disable the affected hardware's problematic functionalities when possible
+(e.g., CPU Simultaneous Multi-Threading).
Software mitigations are only partial substitutes for these, but they can be
helpful on out-of-support hardware or as complements for just-discovered
vulnerabilities not yet addressed by vendors.
Some software mitigations depend on hardware capabilities provided by a
microcode update.
-.Pp
-FreeBSD's usual policy is to apply by default all OS-level mitigations that do
+.Ss Architectural Vulnerability Mitigations
+.Fx Ap s
+usual policy is to apply by default all OS-level mitigations that do
not require recompilation, except those the particular hardware it is running on
is known not to be vulnerable to
.Pq which sometimes requires firmware updates ,
@@ -451,6 +471,10 @@ should be considered when configuring and deploying them in a
.Fx
system.
.Pp
+Additional mitigation knobs are listed in the
+.Sx KNOBS AND TWEAKS
+section of
+.Xr security 7 .
.Sh SEE ALSO
.Xr elfctl 1 ,
.Xr proccontrol 1 ,