[CALL FOR TESTING] Speculative Execution Kernel Patch for amd64

[franco]

Good news everyone,

FreeBSD officially released its speculative execution patch[1] consisting of PTI (Meltdown) and IBRS (Spectre V2) mitigation for version 11.1. It is worth mentioning that it is only available for the amd64 architecture.

Before we start releasing it as well we would like to invite as many of you to try the patch and report back your results to ensure a smooth and timely integration. At the moment this integration is planned for 18.1.5 some time next week.

Testing and discussion went on internally the last couple of days. We did not encounter problems and were surprised by the lack of noticeable slowdown that was feared initially. Following the HardenedBSD perspective we are going to adopt an opt-out approach for all mitigation. That means in contrast to FreeBSD both PTI and IBRS are enabled by default and can be persistently modified by users if required. In the case of Meltdown this means AMD CPUs are mitigated as well for increased security in case of yet unknown exploits.

There is one more quirk that is worth mentioning: IBRS requires microcode updates to the hardware in order to be effective at all.

If the patch gives you boot trouble you can use option "5" from the boot menu to switch to "kernel.old". Make sure you are on version 18.1.4 before continuing.

The kernel is installed and rebooted as follows:

# opnsense-update -kr 18.1-cft
# /usr/local/etc/rc.reboot

To get back to the release kernel simply rerun as follows:

# opnsense-update -k
# /usr/local/etc/rc.reboot

(Additional info from the FreeBSD SA for the opt-out process)

The status of PTI can be checked via the vm.pmap.pti sysctl:

# sysctl vm.pmap.pti
vm.pmap.pti: 1

The default setting can be overridden by setting the loader tunable vm.pmap.pti to 1 or 0 in /boot/loader.conf. This setting takes effect only at boot.

IBRS can be disabled via the hw.ibrs_disable sysctl (and tunable), and the status can be checked via the hw.ibrs_active sysctl. IBRS may be enabled or disabled at runtime.

Very special thanks to Shawn Webb for his dedication on both HardenedBSD and OPNsense. We are lucky to have him available as a core developer.


Thanks in advance,
Franco on behalf of the OPNsense team

--
[1] https://www.freebsd.org/security/advisories/FreeBSD-SA-18:03.speculative_execution.asc

[marjohn56]

Installed and running here...

[elektroinside]

I will try this as well in the upcoming days. Thank you for all your hard work!

[Julien]

installed here on a real hardware on a production.
will report back in case of any bug

[franco]

Thank you all. No red flags so far. Looking good.

[elektroinside]

Looking good here as well, so far no issues.

[dcol]

Installed here as well. No issues. Will put it though a workout.

[elektroinside]

Keeps working well for me, awesome work guys! Well done!

[marjohn56]

Same here.. No issues to report, all good. There's a slight increase in CPU usage, but nothing worth worrying about. Used the VPN yesterday and no issues to report there either.

[weust]

If I don't forget, again, I will test it tonight in my Gen 2 Hyper-V VM.

[phoenix]

Another "me too", no problems since I installed it yesterday.

[odites999]

Everything is working OK. No problems so far. 


Cheers!

[dcol]

Is there a way to incorporate the Meltdown tools in OPNsense?
https://github.com/dag-erling/meltdown

[weust]

Installed, and running fine so far. Just a few hours.
Twitch is fine, webbrowsing and downloading some files all fine so far.

[lattera]

Is there a way to incorporate the Meltdown tools in OPNsense?
https://github.com/dag-erling/meltdown

I'll try my luck at creating a port for that in HardenedBSD's ports tree, which OPNsense uses. Good idea!