• SpeculativeExecutionVulnerabilities

Many modern processors have implementation issues that allow unprivileged attackers to bypass user-kernel or inter-process memory access restrictions, by exploiting speculative execution and shared resources (caches).

Details of these flaws were announced publicly on 3 January 2018. In May 2018 rumours started circulating of a second set of flaws.

Background

• Google Project Zero technical blog post

• Meltdown & Spectre site

• Meltdown paper

• Spectre paper

• Spectre-NG article from Heise.de

x86

• AMD Speculative Execution page

• AMD Indirect Branch Control White Paper

• AMD Speculative Store Bypass Disable White Paper

• AMD Software Techniques for Managing Speculation White Paper

• Intel Speculative Execution Side Channel Mitigations

• Intel Retpoline White Paper

Arm

• Arm Processor Security Update

Power

• IBM POWER blog post

Vulnerability Status (by Architecture)

* These CPUs are not yet supported by FreeBSD
+ ppc64 hashed page tables use separate user/kernel address space and are not vulnerable to meltdown
** AMD reports "We have not identified any AMD x86 products susceptible to the Variant 3a vulnerability in our analysis to-date."

NOTE: Empty cells and unlisted architectures either have an unknown status, or will be added to the table shortly.

This table represents the most up-to-date information we have, but as the understanding of these vulnerabilities is changing rapidly certain details may be out of date or incorrect.

Mitigation Patches

NOTE: Descriptions above indicate patch applicability (e.g. arch and variant) but are not necessarily the entire/full or final mitigation for the issue.

AMD64 user guide

Meltdown (CVE-2017-5754)

Meltdown vulnerability mitigation requires using separate kernel and user mode page tables, so that user mode does not have sensitive physical pages mapped even with restricted permissions. The technique is known as Page Table Isolation (PTI) and implemented for amd64 kernel. PTI is enabled by default for any non-AMD CPUs. You can enforce PTI, or instead disable it, with vm.pmap.pti=0 loader tunable.

The older Intel Atoms CPUs are in-order and there is a belief that they are not vulnerable to Meltdown. We do not try to distinguish the microarchitectures to not enable PTI on such CPUs, since we do not have conclusive answer to that question, and do not have exhaustive list of the microarchitecture identifiers.

At https://github.com/dag-erling/meltdown you can find a test for Meltdown, which might be used to verify the CPU. Note that positive result from it is definitive, while negative answer might indicate the required tweaking for the test instead of the bug free CPU.

Spectre: Variant 2 (CVE-2017-5715)

The patches for retpoline approach to mitigation of the Spectre variant 2 vulnerability are in work, meantime we provide IBRS-based mitigation on Intel CPUs. The IBRS mitigation main disadvantage is the significant performance penalty. Also, due to the situation with the Intel microcode releases, it is somewhat not trivial to find working and stable blob.

AMD promised to provide the same mechanism, but its presence on AMD CPUs is detected differently than on Intel CPUs. We do not yet see any AMD CPU with this capability, so the supposed code to detect and use IBRS on AMD is not committed. Also, it seems that AMD specifies that even if SMEP is enabled, user/kernel boundary IBRS protection still requires Return Stack Buffer (RSB) flush. On Intels, it is only needed for CPUs not providing the SMEP.

You can verify that the IBRS-enabling microcode is loaded by looking at the dmesg buffer after the microcode update. If the line Structured Extended Features3=0xc000000<IBPB,STIBP> appears in the CPU features report, then IBPB (the IBRS barrier) feature is patched in, so system can perform the mitigation on user/kernel boundary. Current status of the mitigation can be verified with the sysctl hw.ibrs_active. If the CPU feature is present and not disabled by the tunable/sysctl hw.ibrs_disable, it should indicate activation.

If you have access to the Intel microcode list, for instance https://www.intel.com/content/dam/www/public/us/en/documents/sa00115-microcode-update-guidance.pdf, you can look at the version of the currently patched microcode as well. Use sysutils/x86info from ports, load the cpuctl(4) driver (already required for microcode load), and use the '-a' switch to see the microcode version among other things.

Spectre: Variant 1 (CVE-2017-5753)

<empty>

CategorySecurity CategoryStale