From nobody Sat Sep 21 13:00:08 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4X9q9N75Vxz5WLwS; Sat, 21 Sep 2024 13:00:08 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4X9q9N5F0Hz43j2; Sat, 21 Sep 2024 13:00:08 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1726923608; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=vA4ZkKs776J75Gtqk14a6jcV7esyGRPSepoUkZrA2M0=; b=bEwFNJ4nZJloDICfypg2U+4JSgCp7jall63ZcR6QCY1jAPCLCQXPM888/hPUwbK9HQbQxS +xnzg/LcZ1NNgDvujB6kaNAkqn55zakPlpc26LxzXmAYgr2DogQSuJsziJ7Fwqy+jdJ7wo lhDPlyj2iB60PW81vmllstIJGhwIb9CWUBQh1OYxdEzecFnp9YuSVRfGB0R/t7yCxA53lC uXpVBR+p//8xsfrbY2A8PNgPyZZDm9VpD2E8H1LV5OhYd2q6BCPL5wFNRIQjK16OGKb47W 71TLj40m/gM+BwRNodKA21unsJRBFhTVJ4wsWHH+g3wngqml5RlNVWcwM5LWNw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1726923608; a=rsa-sha256; cv=none; b=V19T989dn7hqU0Qyat9cILf7SMIATnBkvsBGtlhVT9PA1Vb6q/iYEGYROsfITwyvNHakme Qij2WWhpwvFtd0dsqv89YPIohxkVpLlxzG1se3XvOIQsaeGMzZHiVBS1KKMCB2oSA9DgLo w6zJYTVZ0OPXllx4UMr4kJK+rwhzyemTyCj1h/t/xZt5DnBSUmLdX6tyEMhcYSgxZ/7V6v uCTlssjprQaFC8N3HSJJVDMtZIuYVamC9rKGtLwc21sxTYT/rWuCo+St6LmDR1YAPMcnsx hLmaZdGwU4/Lp/HXJdfuyPnf1t3LwEBDBoADSvURniGFzAQNLx+zXJpFYFqdZg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1726923608; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=vA4ZkKs776J75Gtqk14a6jcV7esyGRPSepoUkZrA2M0=; b=SkhqY4k2DLFYSh7FL1v/8Oyb3l/If/HMIroK/D/BPev9RBfgyDkJ24kbdntJhqnqKQ+VDN ibQogsYQUVyYOwX40vcdFl08BCdB25YvPCTw0UgUWED2xCI+yxXBYBmXKT5OfEHtAYquLw 8vRp9wGp/D/9LuQ+6XaaYUVMWyZtBZgxSFPte2nEd1vvqV4Z8KTgPCXlQ+Hy5/e+9MatxZ WdWathpHn2MlIutgeDdvx9V/Z09rL81RnwdzRRKspelF7l9h8p91WAfJcnS9vcI5SnzBOI 35iLhjwPfgDFr4FqLDMlWZ4K5qJlvqM5jei/weMVkfwHAQ9VKvnSwEHuzE+Umg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4X9q9N4sF7zZqy; Sat, 21 Sep 2024 13:00:08 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 48LD08Uu097598; Sat, 21 Sep 2024 13:00:08 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 48LD08pV097595; Sat, 21 Sep 2024 13:00:08 GMT (envelope-from git) Date: Sat, 21 Sep 2024 13:00:08 GMT Message-Id: <202409211300.48LD08pV097595@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Warner Losh Subject: git: b15aff050530 - main - mitigations.7: explain installing firmware + spdx List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: imp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: b15aff050530a791262e166ee0c8fed3a118e7d6 Auto-Submitted: auto-generated The branch main has been updated by imp: URL: https://cgit.FreeBSD.org/src/commit/?id=b15aff050530a791262e166ee0c8fed3a118e7d6 commit b15aff050530a791262e166ee0c8fed3a118e7d6 Author: Alexander Ziaee AuthorDate: 2024-09-15 01:23:52 +0000 Commit: Warner Losh CommitDate: 2024-09-21 12:56:03 +0000 mitigations.7: explain installing firmware + spdx MFC after: 3 days Reported by: imp (ucode is for security) Reported by: emaste (ucode is not minix) Reported by: delphij (please ucode asap) Reviewed by: imp Pull Request: https://github.com/freebsd/freebsd-src/pull/1411 --- share/man/man7/mitigations.7 | 48 +++++++++++++++++++++++++++++++++----------- 1 file changed, 36 insertions(+), 12 deletions(-) diff --git a/share/man/man7/mitigations.7 b/share/man/man7/mitigations.7 index 75decbe2d026..fceaa21a67ea 100644 --- a/share/man/man7/mitigations.7 +++ b/share/man/man7/mitigations.7 @@ -1,3 +1,6 @@ +.\"- +.\" SPDX-License-Identifer: BSD-2-Clause +.\" .\" Copyright © 2023 The FreeBSD Foundation .\" .\" This documentation was written by Ed Maste , and @@ -41,6 +44,7 @@ or per-process basis, some are optionally enabled or disabled at compile time, and some are inherent to the implementation and have no controls. .Pp The following vulnerability mitigations are covered in this document: +.Pp .Bl -bullet -compact .It Address Space Layout Randomization (ASLR) @@ -59,9 +63,11 @@ Stack Overflow Protection .It Supervisor Mode Memory Protection .It -Hardware Vulnerability Mitigation Controls -.It Capsicum +.It +Firmware and Microcode +.It +Architectural Vulnerability Mitigations .El .Pp Please note that the effectiveness and availability of these mitigations may @@ -332,18 +338,14 @@ kernel. .Pp These features are automatically used by the kernel. There is no user-facing configuration. -.Ss Hardware vulnerability controls -See -.Xr security 7 -for more information. .\" .Ss Capsicum Capsicum is a lightweight OS capability and sandbox framework. See .Xr capsicum 4 for more information. -.Pp .Sh HARDWARE VULNERABILITY MITIGATIONS +.Ss Firmware and Microcode Recent years have seen an unending stream of new hardware vulnerabilities, notably CPU ones generally caused by detectable microarchitectural side-effects of speculative execution which leak private data from some other thread or @@ -351,18 +353,36 @@ process or sometimes even internal CPU state that is normally inaccessible. Hardware vendors usually address these vulnerabilities as they are discovered by releasing microcode updates, which may then be bundled into platform firmware updates -.Pq historically called BIOS updates for PCs . +.Pq historically called BIOS updates for PCs +or packages to be updated by the operating system at boot time. +.Pp +Platform firmware updates, if available from the manufacturer, +are the best defense as they provide coverage during early boot. +Install them with +.Pa sysutils/flashrom +from the +.Fx +Ports Collection. +.Pp +If platform firmware updates are no longer available, +packaged microcode is available for installation at +.Pa sysutils/cpu-microcode +and can be loaded at runtime using +.Xr loader.conf 5 , +see the package message for more details. .Pp The best defense overall against hardware vulnerabilities is to timely apply -these updates when available and to disable the affected hardware's problematic -functionalities when possible (e.g., CPU Simultaneous Multi-Threading). +these updates when available, as early as possible in the boot process, +and to disable the affected hardware's problematic functionalities when possible +(e.g., CPU Simultaneous Multi-Threading). Software mitigations are only partial substitutes for these, but they can be helpful on out-of-support hardware or as complements for just-discovered vulnerabilities not yet addressed by vendors. Some software mitigations depend on hardware capabilities provided by a microcode update. -.Pp -FreeBSD's usual policy is to apply by default all OS-level mitigations that do +.Ss Architectural Vulnerability Mitigations +.Fx Ap s +usual policy is to apply by default all OS-level mitigations that do not require recompilation, except those the particular hardware it is running on is known not to be vulnerable to .Pq which sometimes requires firmware updates , @@ -451,6 +471,10 @@ should be considered when configuring and deploying them in a .Fx system. .Pp +Additional mitigation knobs are listed in the +.Sx KNOBS AND TWEAKS +section of +.Xr security 7 . .Sh SEE ALSO .Xr elfctl 1 , .Xr proccontrol 1 ,