PC Engines - about Spectre and Meltdown vulnerabilities

[miroco]

In view of the upcoming speculative execution kernel patch för amd64, planned for 18.1.5 and the APU2C4 board.

https://forum.opnsense.org/index.php?topic=7595.0

PC Engines - about Spectre and Meltdown vulnerabilities

http://pcengines.ch/spectre.htm

On one hand a microcode update seems to be necessary in part to mitigate the effects of the Spectre vulnerability. On the other hand it seems that PC Engines standpoint is that "the vulnerability must be handled at the OS level". That's consistent with the upcoming patch, but not a word about a microcode update?

Is there a discrepancy, or have I misunderstood the complexity of the problem?


Regards,


Miroco

[franco]

Hi,

The problem with microcode updates at the OS level is that it's silly:

1. Microcode updates do not persist through reboots so they must be applied every time as early as possible during boot in order to avoid operational "glitches" and possibly too late mitigation of bugs and/or vulnerabilities. The are best shipped by BIOS providers because once the OS boots the system is in a consistent patched state.

2. We don't want to force microcode updates on users in the OS. We try to stay clear regarding hardware configuration and similar hardware-related modifications in order to concentrate on the OS-level software functionality.

However, there will be further work for allowing microcode updates in OPNsense directly, but we feel we need to tackle the OS challenges first before acting as a fire brigade for unwilling BIOS manufacturers.

This goes in general, not tied to a specific Meltdown or Spectre attack. If you split these topics up there may be nothing to be done for one particular hardware CPU. Where this leaves the Deciso A10 is something I'll try to find out from the source. But we as in OPNsense won't speak on anyone else's behalf and I hope our priorities are clear.


Cheers,
Franco

[miroco]

Thank you for straightening this out. I'm however convinced that this is not the last take on this issue. 



Regards,


Miroco

[franco]

Well, after internal discussion at least for the A10 there is no AMD microcode update that could currently be shipped with the bios, but this would be viable if one surfaces.

However, consensus is that OS must fix all because everyone else is not interested or lazy or dead in the water so sooner or later we will allow microcode updates via plugin.


Cheers,
Franco

[dcol]

It does seem as though a FreeBSD patch is not the only thing necessary. BIOS patches are also required which may have an effect on people using older hardware which no longer receives BIOS updates.

Is this the case?

[franco]

For Spectre V2 yes, for Meltdown there is no known microcode fix and / or it will never be fixed.

https://lists.freebsd.org/pipermail/freebsd-security/2018-March/009790.html
https://lists.freebsd.org/pipermail/freebsd-security/2018-March/009794.html


Cheers,
Franco

[dcol]

Thanks, something to consider when picking hardware to use for OPNsense.

[fhloston]

There actually is new microcode in the wild, which applies successfully to the apu2.

https://github.com/platomav/CPUMicrocodes/blob/master/AMD/cpu00730F01_ver07030106_2018-02-09_88EDFAA0.bin

I have so far managed to load the microcode in my debian installation.

How would I load this in OPNsense?

Code: [Select]

[435975.155078] platform microcode: firmware: direct-loading firmware amd-ucode/microcode_amd_fam16h.bin
[435975.167741] microcode: CPU0: new patch_level=0x07030106
[435975.176174] microcode: CPU1: new patch_level=0x07030106
[435975.184785] microcode: CPU2: new patch_level=0x07030106
[435975.193171] microcode: CPU3: new patch_level=0x07030106

The spectre-meltdown-checker reflects that new microcode accordingly:

Code: [Select]

Spectre and Meltdown mitigation detection tool v0.35                                                                                                                   
                                                                                                                                                                       
Checking for vulnerabilities on current system                                                                                                                         
Kernel is Linux 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02) x86_64                                                                                       
CPU is AMD GX-412TC SOC                                                                                                                                               
                                                                                                                                                                       
Hardware check                                                                                                                                                         
* Hardware support (CPU microcode) for mitigation techniques                                                                                                           
  * Indirect Branch Restricted Speculation (IBRS)                                                                                                                     
    * SPEC_CTRL MSR is available:  NO                                                                                                                                 
    * CPU indicates IBRS capability:  NO                                                                                                                               
  * Indirect Branch Prediction Barrier (IBPB)                                                                                                                         
    * PRED_CMD MSR is available:  YES                                                                                                                                 
    * CPU indicates IBPB capability:  YES  (IBPB_SUPPORT feature bit)                                                                                                 
  * Single Thread Indirect Branch Predictors (STIBP)                                                                                                                   
    * SPEC_CTRL MSR is available:  NO                                                                                                                                 
    * CPU indicates STIBP capability:  NO                                                                                                                             
  * Enhanced IBRS (IBRS_ALL)                                                                                                                                           
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO                                                                                                           
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO                                                                                                       
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO                                                                                           
  * CPU microcode is known to cause stability problems:  NO                                                                                                           
* CPU vulnerability to the three speculative execution attacks variants                                                                                               
  * Vulnerable to Variant 1:  YES                                                                                                                                     
  * Vulnerable to Variant 2:  YES                                                                                                                                     
  * Vulnerable to Variant 3:  NO                                                                                                                                       
                                                                                                                                                                       
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'                                                                                                           
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel has array_index_mask_nospec:  YES  (1 occurence(s) found of 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch:  NO
> STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  NO
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO
    * IBRS enabled for User space:  NO
    * IBPB enabled:  NO
* Mitigation 2
  * Kernel compiled with retpoline option:  YES
  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
> STATUS:  NOT VULNERABLE  (Mitigation: Full AMD retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (kernel confirms that your CPU is unaffected)
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  NO
* Running as a Xen PV DomU:  NO
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)


[fhloston]

ok, just to answer my own question:

backup old microcode
copy new microcode to /usr/local/share/cpucontrol/microcode_amd_fam16h.bin

Code: [Select]

pkg install devcpu-data
echo 'microcode_update_enable="YES"' >>/etc/rc.conf
service microcode_update start
cpucontrol -v -u /dev/cpuctl0
cpucontrol -v -u /dev/cpuctl1
cpucontrol -v -u /dev/cpuctl2
cpucontrol -v -u /dev/cpuctl3


[franco]

Thanks for sharing