From nobody Fri Oct 11 22:11:25 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XQLSF4MWtz5ZTlr; Fri, 11 Oct 2024 22:11:25 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XQLSF3YF5z4V8x; Fri, 11 Oct 2024 22:11:25 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1728684685; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=iWxTH6XBAe1G5Juo4GHnrA0yY5cUpBm5RVHg/atFCpk=; b=QTxEfPh60pBzfoRSFY8oJQAKHgHldq20ebB83TKBlH/7n5T2RXUuatx2fnnOD5N9hCxpSY T16SFj0DoDmzJHsiHENUzvjiamrOYR35zmK29lGn2bGDYbX5iawN4BHB78cKHpm40qacGN J3uu/tQ3XC145eyaf+hx5sohLT2SIuu4+LIYp5cUPP3fhZTAtMDwlbGmq7t8RHcJdqjnI5 xr+8LydecbuqKfjrmjVC+kbpRjqhGPkG9eKZ9QP1W3Ws6GUcQAzsz9XXIqX9jqqR1SC1c+ QS35ABvxA3yRb/h76DML4c156POx2UPYjBWq+t5BM2W69LIJOcKDNMpSSOpQtw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1728684685; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=iWxTH6XBAe1G5Juo4GHnrA0yY5cUpBm5RVHg/atFCpk=; b=VgCNOUaBxFogD2KJ+wBTDFR8u9Sxk6m99pOkCF/rzQBan+1hGTppzjeMOIOpe3yf7QNGUA umb05uOc9eYQgiJbTAUzBuspZjzv2YXa/egIn/O1o2IdDoMyUgRWQZRMv0O44XZ340kl2A 8J3N/lxx4caEU7LfO9HExQPO75keHnw3o2LuXOMpqlc0wJLyFriGPfKX+oy76vmNEHOvvc 2g8U/DrYKKezNYYaYFN2Dn5MMt/u9Z/Tig8InDIaLPyWZOUEkubhfHBHovxqGwMlPmGQkq piweeXxGkAhX7P9AeNrbaZIILCiurgapqrKAUn6Th/8wQlkuM+7B5pu690o2CA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1728684685; a=rsa-sha256; cv=none; b=vgnhMH3DBBRS+2SSMg4H+ay/GxVP7Ncm10xnCPWdl/90iji58iGicVmZ1TvJ4K8DhNIW96 zL2NRw6nU+JPrCSF982ck3eB/oHZ7S+JorfSfNlumUYyFd3jU4R4hhVE4xX+RmJmftwM0Z 9yya2IKaeiFTzcBaTat1reh7PNuRqboK+1PU6R6eekIeBBoTPI5n4wsIgoAhPv6OXMyEr/ h7PPliw0L/qkLyzVzfyCP468XfSBzqYz45lvbrSHxy/Oi6DxTzvY0FmvJcYkkyIVKF+vNp pYRVpDENgu1QJfwetzM/N15cCoSDy9TuGaVbBGH0D0uqb/6bJLBo/uC84ALsCA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4XQLSF38hQzyjC; Fri, 11 Oct 2024 22:11:25 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 49BMBPNK028926; Fri, 11 Oct 2024 22:11:25 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 49BMBPam028923; Fri, 11 Oct 2024 22:11:25 GMT (envelope-from git) Date: Fri, 11 Oct 2024 22:11:25 GMT Message-Id: <202410112211.49BMBPam028923@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Warner Losh Subject: git: e92dd815de89 - stable/14 - mitigations.7: explain installing firmware + spdx List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: imp X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: e92dd815de891be18ef66dcda8ddea5e4c9c66d6 Auto-Submitted: auto-generated The branch stable/14 has been updated by imp: URL: https://cgit.FreeBSD.org/src/commit/?id=e92dd815de891be18ef66dcda8ddea5e4c9c66d6 commit e92dd815de891be18ef66dcda8ddea5e4c9c66d6 Author: Alexander Ziaee AuthorDate: 2024-09-15 01:23:52 +0000 Commit: Warner Losh CommitDate: 2024-10-11 22:10:21 +0000 mitigations.7: explain installing firmware + spdx MFC after: 3 days Reported by: imp (ucode is for security) Reported by: emaste (ucode is not minix) Reported by: delphij (please ucode asap) Reviewed by: imp Pull Request: https://github.com/freebsd/freebsd-src/pull/1411 (cherry picked from commit b15aff050530a791262e166ee0c8fed3a118e7d6) --- share/man/man7/mitigations.7 | 48 +++++++++++++++++++++++++++++++++----------- 1 file changed, 36 insertions(+), 12 deletions(-) diff --git a/share/man/man7/mitigations.7 b/share/man/man7/mitigations.7 index 9dceffb368a9..7156327a7795 100644 --- a/share/man/man7/mitigations.7 +++ b/share/man/man7/mitigations.7 @@ -1,3 +1,6 @@ +.\"- +.\" SPDX-License-Identifer: BSD-2-Clause +.\" .\" Copyright © 2023 The FreeBSD Foundation .\" .\" This documentation was written by Ed Maste , and @@ -41,6 +44,7 @@ or per-process basis, some are optionally enabled or disabled at compile time, and some are inherent to the implementation and have no controls. .Pp The following vulnerability mitigations are covered in this document: +.Pp .Bl -bullet -compact .It Address Space Layout Randomization (ASLR) @@ -59,9 +63,11 @@ Stack Overflow Protection .It Supervisor Mode Memory Protection .It -Hardware Vulnerability Mitigation Controls -.It Capsicum +.It +Firmware and Microcode +.It +Architectural Vulnerability Mitigations .El .Pp Please note that the effectiveness and availability of these mitigations may @@ -330,18 +336,14 @@ kernel. .Pp These features are automatically used by the kernel. There is no user-facing configuration. -.Ss Hardware vulnerability controls -See -.Xr security 7 -for more information. .\" .Ss Capsicum Capsicum is a lightweight OS capability and sandbox framework. See .Xr capsicum 4 for more information. -.Pp .Sh HARDWARE VULNERABILITY MITIGATIONS +.Ss Firmware and Microcode Recent years have seen an unending stream of new hardware vulnerabilities, notably CPU ones generally caused by detectable microarchitectural side-effects of speculative execution which leak private data from some other thread or @@ -349,18 +351,36 @@ process or sometimes even internal CPU state that is normally inaccessible. Hardware vendors usually address these vulnerabilities as they are discovered by releasing microcode updates, which may then be bundled into platform firmware updates -.Pq historically called BIOS updates for PCs . +.Pq historically called BIOS updates for PCs +or packages to be updated by the operating system at boot time. +.Pp +Platform firmware updates, if available from the manufacturer, +are the best defense as they provide coverage during early boot. +Install them with +.Pa sysutils/flashrom +from the +.Fx +Ports Collection. +.Pp +If platform firmware updates are no longer available, +packaged microcode is available for installation at +.Pa sysutils/cpu-microcode +and can be loaded at runtime using +.Xr loader.conf 5 , +see the package message for more details. .Pp The best defense overall against hardware vulnerabilities is to timely apply -these updates when available and to disable the affected hardware's problematic -functionalities when possible (e.g., CPU Simultaneous Multi-Threading). +these updates when available, as early as possible in the boot process, +and to disable the affected hardware's problematic functionalities when possible +(e.g., CPU Simultaneous Multi-Threading). Software mitigations are only partial substitutes for these, but they can be helpful on out-of-support hardware or as complements for just-discovered vulnerabilities not yet addressed by vendors. Some software mitigations depend on hardware capabilities provided by a microcode update. -.Pp -FreeBSD's usual policy is to apply by default all OS-level mitigations that do +.Ss Architectural Vulnerability Mitigations +.Fx Ap s +usual policy is to apply by default all OS-level mitigations that do not require recompilation, except those the particular hardware it is running on is known not to be vulnerable to .Pq which sometimes requires firmware updates , @@ -449,6 +469,10 @@ should be considered when configuring and deploying them in a .Fx system. .Pp +Additional mitigation knobs are listed in the +.Sx KNOBS AND TWEAKS +section of +.Xr security 7 . .Sh SEE ALSO .Xr elfctl 1 , .Xr proccontrol 1 ,