FreeBSD Security Advisory FreeBSD-SA-18:03.speculative_execution

Andrea Venturoli ml at netfence.it
Fri Mar 16 16:18:14 UTC 2018


On 03/14/18 05:29, FreeBSD Security Advisories wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> =============================================================================
> FreeBSD-SA-18:03.speculative_execution                      Security Advisory
> ...

Hello.
After upgrading two machines (one with an AMD Phenom II X4 925, the 
other with a Pentium 987), I'd like to get just a couple of confirmations...





> # sysctl vm.pmap.pti
> vm.pmap.pti: 1

Of course I find this enabled on the Intel box and not on the AMD one, 
but... is PTI in any way affected by a microcode update from Intel?





> The patch includes the IBRS mitigation for Spectre V2.  To use the mitigation
> the system must have an updated microcode; with older microcode a patched
> kernel will function without the mitigation.
> 
> IBRS can be disabled via the hw.ibrs_disable sysctl (and tunable), and the
> status can be checked via the hw.ibrs_active sysctl.  IBRS may be enabled or
> disabled at runtime.  Additional detail on microcode updates will follow.

None of the two box seems to have this enabled; on both I see:
> # sysctl -a|grep ibrs
> hw.ibrs_disable: 1
> hw.ibrs_active: 0

Does this mean both machine don't have a good enough microcode or is 
just IBRS not enabled by default?

In the first case, I tried finding some information on what microcode is 
available for what CPU (I'm interested in several other ones, not only 
these two), but failed. Has anyone a pointer?



Last question: am I right that devcpu-data is nowaday useless (read no 
microcode update anyway) unless this update to base is also installed?


  bye & Thanks
	av.


More information about the freebsd-security mailing list