By now, we’re sure most everyone have heard of the Meltdown and Spectre
attacks. If not, head over to https://meltdownattack.com/ and get an
overview. Additional technical details are available from Google
Project Zero.
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
The FreeBSD Security Team was notified of the issue in late December
and received a briefing under NDA with the original embargo date of
January 9th. Since we received relatively late notice of the issue, our
ability to provide fixes is delayed.
Meltdown (CVE-2017-5754)
~~~~~~~~~~~~~~~~~~~~~~~~
In terms of priority, the first step is to mitigate against the Meltdown
attack (CVE-2017-5754, cited as variant 3 by Project Zero). Work for
this is ongoing, but due to the relatively large changes needed, this is
going to take a little while. We are currently targeting patches for
amd64 being dev complete this week with testing probably running into
next week. From there, we hope to give it a short bake time before
pushing it into the 11.1-RELEASE branch. Additional work will be
required to bring the mitigation to 10.3-RELEASE and 10.4-RELEASE.
The code will be selectable via a tunable which will automatically turn
on for modern Intel processors and off for AMD processors (since they
are reportedly not vulnerable). Since the fix for Meltdown does incur a
performance hit for any transition between user space and kernel space,
this could be rather impactful depending on the workload. As such, the
tunable can also be overridden by the end-user if they are willing to
accept the risk.
Initial work can be tracked at https://reviews.freebsd.org/D13797.
Please note this is a work in progress and some stuff is likely to be
broken.
Spectre (CVE-2017-5753 and CVE-2017-5715)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When it comes to the Spectre vulnerabilities, it is much harder to sort
these out. Variant 1 (CVE-2017-5753) is going to require some static
analysis to determine vulnerable use cases that will require barriers to
stop speculation from disclosing information it shouldn’t. While we
haven’t done the analysis to determine where we are vulnerable, the
number of cases here are supposed to be pretty small. Apparently there
have been some Coverity rules developed to help look for these, but we
are still evaluating what can be done here.
The other half of Spectre, variant 2 (CVE-2017-5715) is a bit trickier
as it affects both normal processes and bhyve. There is a proposed patch
for LLVM (https://reviews.llvm.org/D41723) that introduces a concept
called ‘retpoline’ which mitigates this issue. We are likely to pull
this into HEAD and 11-STABLE once it hits the LLVM tree. Unfortunately,
the currently supported FreeBSD releases are using older versions of
LLVM for which we are not sure the LLVM project will produce patches. We
will be looking at the feasibility to backport these patches to these
earlier versions.
There are CPU microcode fixes coming out when in concert with OS changes
would also help, but that’s a bit down the road at the moment.
If anything significantly changes I will make additional posts to
clarify as the information becomes available.
Best regards,
Gordon Tetlow
with security-officer hat on
—–BEGIN PGP SIGNATURE—–
iQGTBAABCgB9FiEEuyjUCzYO7pNq7RVv5fe8y6O93fgFAlpTsQhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEJC
MjhENDBCMzYwRUVFOTM2QUVEMTU2RkU1RjdCQ0NCQTNCRERERjgACgkQ5fe8y6O9
3fiijQf7BY4QyGyjmib2oDXVvX0pyKkGfe8RYSB0bTnUvc/SJIB/IOgd4LXA8xAy
ue76Euezh9uLwMVdppKBr9seZkfD5FWCDVgUN0fGH1QWGxCmqqA7JkeIvp0ImGpm
+Kw4Etc7kjN67vmjyJlHIwhmC26iwPS9tmdyrr4mvIDZRBP70mwjqKLcxiDHxNsP
STta0+MjAqs2feMCpI7zZd+CQI7p1FyiDU48dnnQTMIKoOxZjfDfa4Axea8JRhJA
0306c7CpUj20jVwAGHCrS3R65z8qxSbWqbyOWmIb0bDoI8q60Oi5D3lS6XkEwh/v
5duL1oOGqcUqqWWs+FU/soVEryu+SA==
=6Y+Y
—–END PGP SIGNATURE—–