FreeBSD Security Advisory FreeBSD-SA-18:03.speculative_execution

Gordon Tetlow gordon at tetlows.org
Fri Mar 16 22:52:54 UTC 2018 

I want to send a follow up on what's going on with the Spectre/Meltdown. I 
know we have been pretty silent on this recently as the work has been 
ongoing in the background.

Info about the current patch
============================
What we have so far is CURRENT, 11-STABLE, and 11.1-RELEASE on amd64 now 
covered with Meltdown. No user interaction is needed to use PTI as it is on 
by default. If you don't want to pay the performance cost, you should put 
vm.pmap.pti=0 into your loader.conf.

Spectre V2 coverage requires work on the user to enable. This isn't clear 
in the SA, so I will likely issue a revision to show what is needed.

Spectre V2 is mitigated via IBRS if the user has all of the following:
- Installed the 11.1-RELEASE-p8 update
- Installed an updated microcode for the CPU to support IBRS
- Changed the sysctl hw.ibrs_disable to 0

The microcode can be installed either via a BIOS update (assuming your
manufacturer has issued one including updated microcode) or via the
sysutils/devcpu-data port/pkg. This was just updated to 1.16 to include
the required microcode for many microarchitectures (but not all).
The only way to tell for sure is to look at dmesg for:
  Structured Extended Features3
which should contain IBPB and STIBP if the CPU supports IBRS. If all of
these conditions are true, check the sysctl hw.ibrs_active to see if
IBRS is turned on.

IBRS is only one way to mitigate the Spectre V2 variant. The other more
preferable way, called retpoline, has less performance impact to the
system than IBRS. However, the changes are all in the compiler which
have yet to be backported and tested with the versions of clang in 11.x
and 10.x. We wanted to get something out to allow our users to protect
themselves while the retpoline patches are finalized. Bear in mind IBRS
may have a significant impact on system performance depending on your
CPU family and workload. Users should test to decide if enabling IBRS
makes sense for their workload and tolerance for risk.

The plan for 10.x
=================
As cited in the advisory, we are working on porting the changes to 10.x for 
amd64. Due to the changes in the vm system between 10.x and 11.x this is a 
fair bit of work.

The plan for i386
=================
i386 is delayed as the changes needed to support PTI are more
complicated than they were on amd64. There is a high likelihood we will
fix this only in 11.x and the hope is to have it in place for the 11.2
release coming out this summer.

Gordon

On Tue, Mar 13, 2018 at 9:29 PM, FreeBSD Security Advisories
<security-advisories at freebsd.org> wrote:

> ===========================================================================
> FreeBSD-SA-18:03.speculative_execution                    Security Advisory
>                                                         The FreeBSD Project
>
> Topic:        Speculative Execution Vulnerabilities
>
> Category:     core
> Module:       kernel
> Announced:    2018-03-14
> Credits:      Jann Horn (Google Project Zero); Werner Haas, Thomas
>               Prescher (Cyberus Technology); Daniel Gruss, Moritz Lipp,
>               Stefan Mangard, Michael Schwarz (Graz University of
>               Technology); Paul Kocher; Daniel Genkin (University of
>               Pennsylvania and University of Maryland), Mike Hamburg
>               (Rambus); Yuval Yarom (University of Adelaide and Data6)
> Affects:      All supported versions of FreeBSD.
> Corrected:    2018-02-17 18:00:01 UTC (stable/11, 11.1-STABLE)
>               2018-03-14 04:00:00 UTC (releng/11.1, 11.1-RELEASE-p8)
> CVE Name:     CVE-2017-5715, CVE-2017-5754
>
> Special Note: Speculative execution vulnerability mitigation is a work
>               in progress.  This advisory addresses the most significant
>               issues for FreeBSD 11.1 on amd64 CPUs.  We expect to update
>               this advisory to include 10.x for amd64 CPUs.  Future FreeBSD
>               releases will address this issue on i386 and other CPUs.
>               freebsd-update will include changes on i386 as part of this
>               update due to common code changes shared between amd64 and
>               i386, however it contains no functional changes for i386 (in
>               particular, it does not mitigate the issue on i386).

More information about the freebsd-security mailing list