status of Spectre / Meltdown mirigations in 2021

C

chili

Hi all,

On the subject of the various Spectre and Meltdown CPU vulnerabilities discovered in 2017-2018,

I tried to find information if FreeBSD is currently fully patched to mitigate them, but I couldn't find any answer.

(For comparison, Windows 10 and Ubuntu currently implement mitigations for all the Spectre/Meltdown variants and load updated cpu microcode when applicable).

the FreeBSD wiki page on the subject is very outdated (2018)
and it lists Spectre v.1 as unmitigated on most architectures.

Also it appears a switch to Reptoline mitigation in FreeBSD (for better performance) was being considered, but couldnt find if it was actually implemented.


Can someone shed some light ?
 
NoScript's unique whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known, such as Meltdown or Spectre, and even not known yet!) with no loss of functionality..
noscript.net

What is it? - NoScript: Own Your Browser!

The NoScript Security Suite is Free Software protecting Firefox (on Android, too!), Chrome, Edge, Brave and other web browsers. Install NoScript now!
noscript.net noscript.net
Click to expand...

NoScript - No Problem.
 
chili said:
Hi all,

On the subject of the various Spectre and Meltdown CPU vulnerabilities discovered in 2017-2018,

I tried to find information if FreeBSD is currently fully patched to mitigate them, but I couldn't find any answer.
Click to expand...
Certainly not because there is no end to it. They continue to come in, new ones are regularly being found.

chili said:
/SpeculativeExecutionVulnerabilities#Vulnerability_Status_.28by_Architecture.29[/URL]

Also it appears a switch to Reptoline mitigation in FreeBSD (for better performance) was being considered, but couldnt find if it was actually implemented.
Click to expand...
Well, accidentially this may be found:

man src.conf

WITH_KERNEL_RETPOLINE
Set to enable the "retpoline" mitigation for CVE-2017-5715 in the
kernel build.

WITH_RETPOLINE
Set to build the base system with the retpoline speculative
execution vulnerability mitigation for CVE-2017-5715.
 
richardtoohey2 said:
I'm pretty sure you need to install the microcode port as per the above - but that's quite old.
Click to expand...
To get the microcode update this goes in your /etc/rc.conf file:
Code: 
microcode_update_enable="YES"

And you'll need to reboot to make it stick, I don't think rehash will do it, but wait a bit.

Then you install this program using pkg or ports:
sysutils/devcpu-data

When it's done with the installation reboot and it will update your file and CPU.

If you already had that line in /etc/rc.conf you could run this command to update it:
service microcode_update start

And don't leave 127.0.0.1 without that browser extension.
I never do...
 
PMc said:
WITH_KERNEL_RETPOLINE
Set to enable the "retpoline" mitigation for CVE-2017-5715 in the
kernel build.

WITH_RETPOLINE
Set to build the base system with the retpoline speculative
execution vulnerability mitigation for CVE-2017-5715.
Click to expand...
Thank you - so do you know if these are the defaults for FreeBSD binary downloads i.e. these mitigations will be on by default? Or do I have build my own kernel to turn them on?
 
In a nutshell, FreeBSD includes all the known mitigations, and as already pointed out, microcode updates are also required. It's been a while since I digged into the technical details, but AFAIR, there's no way to prevent all the known attacks other than disabling hyperthreading (on intel), which is why OpenBSD changed the default… of course, this instantly cuts your computing power into half.

If you're hosting virtual servers sold to customers, you should think about it ;)
 
FreeBSD has had newer patches, not sure if they all made it to 12, but I agree that wiki page needs to be updated.
 
Well, still the main issue is that there is no complete mitigation (short of disabling HT, not even sure if that's considered 100% safe, could someone enlighten me on this?)

I feel I should get my money back from intel, but won't happen ?
 
You must log in or register to reply here.
Back
Top