Hello!
I've bought a preconfigured OPNSense Firewall on Ebay.
This Firewall is based on an embedded computing mainboard and an embedded AMD processor, which is at least vulnerable for Spectre Version 1 (illegal execution by mistrained branch prediction circuit).
In which way is my OPNSense Firewall compromised by its CPU's vulnerability, in my case the Spectre Version 1 vulnerability?
Consuli
Hi there,
For completeness: FreeBSD has not yet patched Meltdown or Spectre in any of their release versions.
Meltdown is a contained kernel patch for page table isolation I think, but Spectre requires patching compilers, too. Compilers are usually updated when new releases are made available.
That being said I would *hope* by the time FreeBSD 11.2 is out this will be addressed, or we'll see if anything can be done from the HardenedBSD perspective on top of our current 11.1. It depends on how compiler authors are willing to backport their Spectre mitigation.
Shawn would know more... I'll try to redirect him here. :)
Cheers,
Franco
I believe FreeBSD is actively working on merging PTI and IBRS support into 11.1-RELEASE. There is an experimental patch floating around that applies to 11.1-RELEASE, but there has been no status update since that experimental patch was released.
IBRS helps address one of the Spectre variants on Intel Skylake and above. However, it needs to be combined with Retpoline for full effectiveness (and, Retpoline requires IBRS on Intel Skylake and above for full effectiveness; they depend on each other.)
Retpoline requires both compiler and linker support. FreeBSD 11.1-RELEASE uses clang as the compiler, but GNU ld as the linker on amd64. In order to effectively use Retpoline, lld needs to be the linker. When OPNsense switches to HardenedBSD, it will gain lld as the default linker for the entire ecosystem on amd64.
So, there's a long road ahead. With all that said, keep in mind that Meltdown and Spectre are local attacks. The only time when Meltdown and Spectre become issues outside of local access is multi-tenant hosting. However, virtualizing your firewall with other untrusted VMs isn't a good idea, anyways.
Quote from: lattera on March 06, 2018, 02:20:10 PM
When OPNsense switches to HardenedBSD, it will gain lld as the default linker for the entire ecosystem on amd64.
Is this really in the works? That would be exciting.
Yup. When FreeBSD 12.0-RELEASE happens and HardenedBSD creates the proper release engineering branch (hardened/releng/12.0), OPNsense will start work on switching to HardenedBSD as the upstream. Note that OPNsense already switched its ports tree (aka, third party packages) to HardenedBSD's ports tree. So we're already half way there. We just need the other half (the operating system itself) to be switched over. :)
Hot off the press: FreeBSD just released a Call For Testing (CFT) of PTI and IBRS for 11.1-RELEASE: https://lists.freebsd.org/pipermail/freebsd-stable/2018-March/088526.html
Over the next couple weeks, I'll work to import the patch into a feature branch in OPNsense's src repo. I'll discuss with the OPNsense Core Team how we can go forward with publishing a testable version of OPNsense with the patch applied. Stay tuned for more info. :)
I spy with my little eye a feature branch to test PTI + IBRS: https://github.com/opnsense/src/tree/hardened/master/pti_ibrs
I'll enable PTI by default in this branch, just like we do in HardenedBSD.
Very nice! Thank you!
We are hoping to publish a test on Monday after a bit of internal testing.
Cheers,
Franco
Here's a sneak peak! :)
If the attached screenshot didn't show properly, then here's a link to it: https://photos.app.goo.gl/NgaICZGUo8QjIf7u1
First all, I am glad, the opnsense forum does address the Meltdown/ Spectre topic ! I've experienced, this not the case in other more commercial orientated forums. So, thank you twice for this!
Further it is promising, that patches are on the way.
Although I am pretty aware, it is not the opnsense teams fault, that there are no Meltdown/ Spectre patches for the moment (as this is in charge of the OpenBSD developers), this fact however does not not solve my current problem with an unpatched OPNsense firewall.
So what do you recommend for an unpatched OPNsense firewall in an elevated threatened research environment for the moment? Precautionary shut down?
Thanks
Consuli
There really isn't anything someone can recommend. You should use the firewall you trust. If you don't trust it, don't use it. It's like hiring an IT guy for your business and you are afraid he steals all your passwords. What do you with the guy?
A Call for Testing for a modified version of the following will be out later today:
https://www.freebsd.org/security/advisories/FreeBSD-SA-18:03.speculative_execution.asc
We are hoping that this will ship in the 18.1.5 release next week after positive confirmation of the community.
Cheers,
Franco
I will try it on a testing unit if you can provide the shell commands. The procedure in the freebsd advisory is beyond my knowledge.
But with opnsense-update it's easy. :)
https://forum.opnsense.org/index.php?topic=7595.0
Got it, thanks. And it is working ok.