FreeBSD Security Advisory FreeBSD-SA-18:03.speculative_execution

Ed Maste emaste at freebsd.org
Mon Mar 19 02:48:11 UTC 2018


On 18 March 2018 at 13:54, Jan Demter <jan-mailinglists at demter.de> wrote:
> Hi Andrea!
>
> Am 16.03.18 um 17:11 schrieb Andrea Venturoli via freebsd-security:
>>
>> On 03/14/18 05:29, FreeBSD Security Advisories wrote:
>>>
>>> # sysctl vm.pmap.pti
>>> vm.pmap.pti: 1
>>
>> Of course I find this enabled on the Intel box and not on the AMD one,
>> but... is PTI in any way affected by a microcode update from Intel?
>
> From what I have read so far, I'm pretty certain it isn't planned or even
> possible to patch this via a microcode update.

That is correct. Meltdown won't ever be fixed with a microcode update
as far as we know, and no microcode update is required for the PTI
mitigation.

There's one small wrinkle: there are some recent lower-end processors
(at least some recent Celerons) which it seems are not susceptible to
Meltdown, and after a microcode update will set a bit to indicate
this. In that case a microcode update will cause FreeBSD to switch
from enabling PTI to disabling it by default -- but that CPU is not
affected by Meltdown, with or without the update.

> IBRS does not seem to be enabled by default:
> https://reviews.freebsd.org/rS328625
> "For existing processors, you need a microcode update which adds IBRS
> CPU features, and to manually enable it by setting the tunable/sysctl
> hw.ibrs_disable to 0."

That is true. Further, we expect the compiler-based retpoline to be
the usual mitigation used for Spectre V2, for CPUs before Skylake.
Development work for this is still ongoing in -CURRENT.


More information about the freebsd-security mailing list