Zenbleed errata for 7.2 and 7.3 will come out soon.
sysupgrade of the -current snapshot already contains a fix.
I wanted to share some notes on impact:
OpenBSD does not use the AVX instructions to the same extent that Linux
and Microsoft do, so this is not as important.
On Linux, glibc has AVX-based optimizations for simple functions (string
and memory copies) which will store secrets into the register file which
can be extracted trivially, so the impact on glibc-based systems is
HUGE.
While working on our fixes, I ran the test programs for quite a while
and I never saw anything resembling a 'text' string. However when I ran
a browser I saw streams of what was probably graphics-related fragments
flowing past. The base system clearly uses AVX very rarely by itself.
In summary: in OpenBSD, this isn't a big deal today. However, attacks
built upon primitives always get better over time, so I urge everyone to
install these workarounds as soon as our errata ship.
--
ps. If you use syspatch for these new errata, you must install the
bootblocks yourself! syspatch cannot install them for you. So you must
run this yourself, before the last reboot:
installboot -v sd0
or
installboot -v wd0
Our cpu firmware update mechanism uses the bootblocks to load the firmware
from disk and provides it to the kernel, so if you don't have new bootblocks
you won't be protected.
