Jan Demter
2018-Mar-18 17:54 UTC
FreeBSD Security Advisory FreeBSD-SA-18:03.speculative_execution
Hi Andrea! Am 16.03.18 um 17:11 schrieb Andrea Venturoli via freebsd-security:> On 03/14/18 05:29, FreeBSD Security Advisories wrote: >> # sysctl vm.pmap.pti >> vm.pmap.pti: 1 > > Of course I find this enabled on the Intel box and not on the AMD one, > but... is PTI in any way affected by a microcode update from Intel?From what I have read so far, I'm pretty certain it isn't planned or even possible to patch this via a microcode update.>> IBRS can be disabled via the hw.ibrs_disable sysctl (and tunable), and >> the >> status can be checked via the hw.ibrs_active sysctl.? IBRS may be >> enabled or >> disabled at runtime.? Additional detail on microcode updates will follow. > > None of the two box seems to have this enabled; on both I see: >> # sysctl -a|grep ibrs >> hw.ibrs_disable: 1 >> hw.ibrs_active: 0 > > Does this mean both machine don't have a good enough microcode or is > just IBRS not enabled by default?IBRS does not seem to be enabled by default: https://reviews.freebsd.org/rS328625 "For existing processors, you need a microcode update which adds IBRS CPU features, and to manually enable it by setting the tunable/sysctl hw.ibrs_disable to 0."> In the first case, I tried finding some information on what microcode is > available for what CPU (I'm interested in several other ones, not only > these two), but failed. Has anyone a pointer?For Intel CPUs, there's this list: https://newsroom.intel.com/wp-content/uploads/sites/11/2018/03/microcode-update-guidance.pdf> Last question: am I right that devcpu-data is nowaday useless (read no > microcode update anyway) unless this update to base is also installed?The microcode update itself will work, if that is what you meant, but just updating the microcode and not FreeBSD is useless to mitigate Spectre V2. Hope this helps, Jan
Ed Maste
2018-Mar-19 02:47 UTC
FreeBSD Security Advisory FreeBSD-SA-18:03.speculative_execution
On 18 March 2018 at 13:54, Jan Demter <jan-mailinglists at demter.de> wrote:> Hi Andrea! > > Am 16.03.18 um 17:11 schrieb Andrea Venturoli via freebsd-security: >> >> On 03/14/18 05:29, FreeBSD Security Advisories wrote: >>> >>> # sysctl vm.pmap.pti >>> vm.pmap.pti: 1 >> >> Of course I find this enabled on the Intel box and not on the AMD one, >> but... is PTI in any way affected by a microcode update from Intel? > > From what I have read so far, I'm pretty certain it isn't planned or even > possible to patch this via a microcode update.That is correct. Meltdown won't ever be fixed with a microcode update as far as we know, and no microcode update is required for the PTI mitigation. There's one small wrinkle: there are some recent lower-end processors (at least some recent Celerons) which it seems are not susceptible to Meltdown, and after a microcode update will set a bit to indicate this. In that case a microcode update will cause FreeBSD to switch from enabling PTI to disabling it by default -- but that CPU is not affected by Meltdown, with or without the update.> IBRS does not seem to be enabled by default: > https://reviews.freebsd.org/rS328625 > "For existing processors, you need a microcode update which adds IBRS > CPU features, and to manually enable it by setting the tunable/sysctl > hw.ibrs_disable to 0."That is true. Further, we expect the compiler-based retpoline to be the usual mitigation used for Spectre V2, for CPUs before Skylake. Development work for this is still ongoing in -CURRENT.
Andrea Venturoli
2018-Mar-19 10:28 UTC
FreeBSD Security Advisory FreeBSD-SA-18:03.speculative_execution
On 03/18/18 18:54, Jan Demter wrote:>> Of course I find this enabled on the Intel box and not on the AMD one, >> but... is PTI in any way affected by a microcode update from Intel? > > From what I have read so far, I'm pretty certain it isn't planned or > even possible to patch this via a microcode update.Ok, I'm wrong then: I understood Spectre was unfixable, while Intel had provided (or was going to provide) a microcode update to patch (not mitigate) MeltDown. Of course PTI might be a good idea in any case.> For Intel CPUs, there's this list: > https://newsroom.intel.com/wp-content/uploads/sites/11/2018/03/microcode-update-guidance.pdfThanks. Altough I was looking for AMD mostly :)> The microcode update itself will work, if that is what you meant, but > just updating the microcode and not FreeBSD is useless to mitigate > Spectre V2.Again, my fault: the "Please update your system in order to update CPU microcode." message led me to a wrong conclusion. bye & Thanks av.