# status of Spectre / Meltdown mirigations in 2021



## chili (Sep 3, 2021)

Hi all,

On the subject of the various Spectre and Meltdown CPU vulnerabilities discovered in 2017-2018,

I tried to find information if FreeBSD is currently fully patched to mitigate them, but I couldn't find any answer.

 (For comparison, Windows 10 and Ubuntu currently implement mitigations for all the Spectre/Meltdown variants and load updated cpu microcode when applicable).

the FreeBSD wiki page on the subject is very outdated (2018)
and it lists Spectre v.1 as unmitigated on most architectures.


			SpeculativeExecutionVulnerabilities - FreeBSD Wiki
		


Also it appears a switch to Reptoline mitigation in FreeBSD (for better performance) was being considered, but couldnt find if it was actually implemented.


Can someone shed some light ?


----------



## richardtoohey2 (Sep 5, 2021)

I haven't got the full answer, but there's stuff like this: https://www.freebsd.org/security/advisories/FreeBSD-SA-19:07.mds.asc

I'm pretty sure you need to install the microcode port as per the above - but that's quite old.

There are others e.g.:



			https://www.freebsd.org/security/advisories/FreeBSD-SA-19:26.mcu.asc
		


Have a look at https://www.freebsd.org/security/advisories/


----------



## Deleted member 30996 (Sep 5, 2021)

> NoScript's unique *whitelist based pre-emptive script blocking* approach prevents exploitation of *security vulnerabilities* (known, such as *Meltdown* or *Spectre*, and *even not known yet*!) with no loss of functionality..
> 
> 
> 
> ...



NoScript - No Problem.


----------



## PMc (Sep 6, 2021)

chili said:


> Hi all,
> 
> On the subject of the various Spectre and Meltdown CPU vulnerabilities discovered in 2017-2018,
> 
> I tried to find information if FreeBSD is currently fully patched to mitigate them, but I couldn't find any answer.


Certainly not because there is no end to it. They continue to come in, new ones are regularly being found.



chili said:


> /SpeculativeExecutionVulnerabilities#Vulnerability_Status_.28by_Architecture.29[/URL]
> 
> Also it appears a switch to Reptoline mitigation in FreeBSD (for better performance) was being considered, but couldnt find if it was actually implemented.


Well, accidentially this may be found:

man src.conf

     WITH_KERNEL_RETPOLINE
             Set to enable the "retpoline" mitigation for CVE-2017-5715 in the
             kernel build.

     WITH_RETPOLINE
             Set to build the base system with the retpoline speculative
             execution vulnerability mitigation for CVE-2017-5715.


----------



## Deleted member 30996 (Sep 6, 2021)

richardtoohey2 said:


> I'm pretty sure you need to install the microcode port as per the above - but that's quite old.


To get the microcode update this goes in your /etc/rc.conf file:

```
microcode_update_enable="YES"
```

And you'll need to reboot to make it stick,  I don't think `rehash` will do it, but wait a bit.

Then you install this program using pkg or ports:
sysutils/devcpu-data

When it's done with the installation reboot and it will update your file and CPU. 

If you already had that line in /etc/rc.conf  you could run this command to update it:
`service microcode_update start`

And don't leave 127.0.0.1 without that browser extension.
I never do...


----------



## richardtoohey2 (Sep 6, 2021)

PMc said:


> WITH_KERNEL_RETPOLINE
> Set to enable the "retpoline" mitigation for CVE-2017-5715 in the
> kernel build.
> 
> ...


Thank you - so do you know if these are the defaults for FreeBSD binary downloads i.e. these mitigations will be *on* by default? Or do I have build my own kernel to turn them on?


----------



## ralphbsz (Sep 6, 2021)

Trihexagonal said:


> NoScript - No Problem.


That only fixes the attack being through Javascript/Java/... in web pages. It ignores a lot of other possible attacks.


----------



## zirias@ (Sep 6, 2021)

In a nutshell, FreeBSD includes all the known mitigations, and as already pointed out, microcode updates are also required. It's been a while since I digged into the technical details, but AFAIR, there's no way to prevent all the known attacks other than disabling hyperthreading (on intel), which is why OpenBSD changed the default… of course, this instantly cuts your computing power into half.

If you're hosting virtual servers sold to customers, you should think about it


----------



## chrcol (Sep 7, 2021)

FreeBSD has had newer patches, not sure if they all made it to 12, but I agree that wiki page needs to be updated.


----------



## zirias@ (Sep 7, 2021)

Well, still the main issue is that there is no complete mitigation (short of disabling HT, not even sure if that's considered 100% safe, could someone enlighten me on this?)

I feel I should get my money back from intel, but won't happen


----------

