OPNsense Forum

English Forums => General Discussion => Topic started by: consuli on March 05, 2018, 09:07:40 pm

Title: How are OPNSense Firewalls affected by Meltdown and Spectre?
Post by: consuli on March 05, 2018, 09:07:40 pm
Hello!

I've bought a preconfigured OPNSense Firewall on Ebay.

This Firewall is based on an embedded computing mainboard and an embedded AMD processor, which is at least vulnerable for Spectre Version 1 (illegal execution by mistrained branch prediction circuit).

In which way is my OPNSense Firewall compromised by its CPU's vulnerability, in my case the Spectre Version 1 vulnerability?

Consuli
Title: Re: How are OPNSense Firewalls affected by Meltdown and Spectre?
Post by: franco on March 06, 2018, 07:54:38 am
Hi there,

For completeness: FreeBSD has not yet patched Meltdown or Spectre in any of their release versions.

Meltdown is a contained kernel patch for page table isolation I think, but Spectre requires patching compilers, too. Compilers are usually updated when new releases are made available.

That being said I would *hope* by the time FreeBSD 11.2 is out this will be addressed, or we'll see if anything can be done from the HardenedBSD perspective on top of our current 11.1. It depends on how compiler authors are willing to backport their Spectre mitigation.

Shawn would know more... I'll try to redirect him here. :)


Cheers,
Franco
Title: Re: How are OPNSense Firewalls affected by Meltdown and Spectre?
Post by: lattera on March 06, 2018, 02:20:10 pm
I believe FreeBSD is actively working on merging PTI and IBRS support into 11.1-RELEASE. There is an experimental patch floating around that applies to 11.1-RELEASE, but there has been no status update since that experimental patch was released.

IBRS helps address one of the Spectre variants on Intel Skylake and above. However, it needs to be combined with Retpoline for full effectiveness (and, Retpoline requires IBRS on Intel Skylake and above for full effectiveness; they depend on each other.)

Retpoline requires both compiler and linker support. FreeBSD 11.1-RELEASE uses clang as the compiler, but GNU ld as the linker on amd64. In order to effectively use Retpoline, lld needs to be the linker. When OPNsense switches to HardenedBSD, it will gain lld as the default linker for the entire ecosystem on amd64.

So, there's a long road ahead. With all that said, keep in mind that Meltdown and Spectre are local attacks. The only time when Meltdown and Spectre become issues outside of local access is multi-tenant hosting. However, virtualizing your firewall with other untrusted VMs isn't a good idea, anyways.
Title: Re: How are OPNSense Firewalls affected by Meltdown and Spectre?
Post by: dcol on March 06, 2018, 05:23:20 pm
When OPNsense switches to HardenedBSD, it will gain lld as the default linker for the entire ecosystem on amd64.

Is this really in the works? That would be exciting.
Title: Re: How are OPNSense Firewalls affected by Meltdown and Spectre?
Post by: lattera on March 06, 2018, 05:31:32 pm
Yup. When FreeBSD 12.0-RELEASE happens and HardenedBSD creates the proper release engineering branch (hardened/releng/12.0), OPNsense will start work on switching to HardenedBSD as the upstream. Note that OPNsense already switched its ports tree (aka, third party packages) to HardenedBSD's ports tree. So we're already half way there. We just need the other half (the operating system itself) to be switched over. :)
Title: Re: How are OPNSense Firewalls affected by Meltdown and Spectre?
Post by: lattera on March 06, 2018, 05:55:56 pm
Hot off the press: FreeBSD just released a Call For Testing (CFT) of PTI and IBRS for 11.1-RELEASE: https://lists.freebsd.org/pipermail/freebsd-stable/2018-March/088526.html

Over the next couple weeks, I'll work to import the patch into a feature branch in OPNsense's src repo. I'll discuss with the OPNsense Core Team how we can go forward with publishing a testable version of OPNsense with the patch applied. Stay tuned for more info. :)
Title: Re: How are OPNSense Firewalls affected by Meltdown and Spectre?
Post by: lattera on March 06, 2018, 10:04:48 pm
I spy with my little eye a feature branch to test PTI + IBRS: https://github.com/opnsense/src/tree/hardened/master/pti_ibrs

I'll enable PTI by default in this branch, just like we do in HardenedBSD.
Title: Re: How are OPNSense Firewalls affected by Meltdown and Spectre?
Post by: elektroinside on March 07, 2018, 05:20:47 pm
Very nice! Thank you!
Title: Re: How are OPNSense Firewalls affected by Meltdown and Spectre?
Post by: franco on March 07, 2018, 05:23:05 pm
We are hoping to publish a test on Monday after a bit of internal testing.


Cheers,
Franco
Title: Re: How are OPNSense Firewalls affected by Meltdown and Spectre?
Post by: lattera on March 07, 2018, 09:45:49 pm
Here's a sneak peak! :)

If the attached screenshot didn't show properly, then here's a link to it: https://photos.app.goo.gl/NgaICZGUo8QjIf7u1
Title: Re: How are OPNSense Firewalls affected by Meltdown and Spectre?
Post by: consuli on March 12, 2018, 08:34:51 pm
First all, I am glad, the opnsense forum does address the Meltdown/ Spectre topic !  I've experienced, this not the case in other more commercial orientated forums.  So, thank you twice for this!

Further it is promising, that patches are on the way.

Although I am pretty aware, it is not the opnsense teams fault, that there are no Meltdown/ Spectre patches for the moment (as this is in charge of the OpenBSD developers), this fact however does not not solve my current problem with an unpatched OPNsense firewall.

So what do you recommend for an unpatched OPNsense firewall in an elevated threatened research environment for the moment? Precautionary shut down?

Thanks
Consuli
Title: Re: How are OPNSense Firewalls affected by Meltdown and Spectre?
Post by: elektroinside on March 12, 2018, 11:20:59 pm
There really isn't anything someone can recommend. You should use the firewall you trust. If you don't trust it, don't use it. It's like hiring an IT guy for your business and you are afraid he steals all your passwords. What do you with the guy?
Title: Re: How are OPNSense Firewalls affected by Meltdown and Spectre?
Post by: franco on March 14, 2018, 06:41:13 pm
A Call for Testing for a modified version of the following will be out later today:

https://www.freebsd.org/security/advisories/FreeBSD-SA-18:03.speculative_execution.asc

We are hoping that this will ship in the 18.1.5 release next week after positive confirmation of the community.


Cheers,
Franco
Title: Re: How are OPNSense Firewalls affected by Meltdown and Spectre?
Post by: dcol on March 15, 2018, 04:06:57 pm
I will try it on a testing unit if you can provide the shell commands. The procedure in the freebsd advisory is beyond my knowledge.
Title: Re: How are OPNSense Firewalls affected by Meltdown and Spectre?
Post by: franco on March 20, 2018, 07:41:26 am
But with opnsense-update it's easy. :)

https://forum.opnsense.org/index.php?topic=7595.0
Title: Re: How are OPNSense Firewalls affected by Meltdown and Spectre?
Post by: dcol on March 20, 2018, 04:23:02 pm
Got it, thanks. And it is working ok.