Hi Andrea!
Am 16.03.18 um 17:11 schrieb Andrea Venturoli via freebsd-security:
On 03/14/18 05:29, FreeBSD Security Advisories wrote:
# sysctl vm.pmap.pti
vm.pmap.pti: 1
Of course I find this enabled on the Intel box and not on the AMD one,
but... is PTI in any way affected by a microcode update from Intel?
From what I have read so far, I'm pretty certain it isn't planned or
even possible to patch this via a microcode update.
IBRS can be disabled via the hw.ibrs_disable sysctl (and tunable), and
the
status can be checked via the hw.ibrs_active sysctl. IBRS may be
enabled or
disabled at runtime. Additional detail on microcode updates will follow.
None of the two box seems to have this enabled; on both I see:
# sysctl -a|grep ibrs
hw.ibrs_disable: 1
hw.ibrs_active: 0
Does this mean both machine don't have a good enough microcode or is
just IBRS not enabled by default?
IBRS does not seem to be enabled by default:
https://reviews.freebsd.org/rS328625
"For existing processors, you need a microcode update which adds IBRS
CPU features, and to manually enable it by setting the tunable/sysctl
hw.ibrs_disable to 0."
In the first case, I tried finding some information on what microcode is
available for what CPU (I'm interested in several other ones, not only
these two), but failed. Has anyone a pointer?
For Intel CPUs, there's this list:
https://newsroom.intel.com/wp-content/uploads/sites/11/2018/03/microcode-update-guidance.pdf
Last question: am I right that devcpu-data is nowaday useless (read no
microcode update anyway) unless this update to base is also installed?
The microcode update itself will work, if that is what you meant, but
just updating the microcode and not FreeBSD is useless to mitigate
Spectre V2.
Hope this helps,
Jan
_______________________________________________
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
