Call for Testing: 11.1-RELEASE Meltdown/Spectre mitigation merge =============================================================== (Posted at https://lists.freebsd.org/pipermail/freebsd-stable/2018-March/088526.html) A number of issues relating to speculative execution were found last year and publicly announced January 3rd. A variety of techniques used to mitigate these issues have been committed to FreeBSD-CURRENT and have been merged to the stable/11 branch. The changes will be released as an update to FreeBSD 11.1-RELEASE in the near future, but the candidate merge patch is now available for broader testing. The patch addresses these issues: CVE-2017-5754 (Meltdown) ------------------------ This issue relies on a speculative execution of instructions that attempt to read kernel memory, but fault. Although the architectural state is as expected (the faulting instruction is not retired), cache or other microarchitectureal state is changed and may be used to observe privileged data. The mitigation is known as Page Table Isolation (PTI). PTI largely separates kernel and user mode page tables, so that even during speculative execution most of the kernel's data is unmapped and not accessible. A demonstration of the Meltdown vulnerability is available at [https://github.com/dag-erling/meltdown](https://github.com/dag-erling/meltdown). A positive result is definitive (i.e., the vulnerability exists with certainty). A negative result indicates either that the CPU is not affected, or that the test is not capable of demonstrating the issue on the CPU (and may need to be modified). CVE-2017-5715 (Spectre V2) -------------------------- Spectre V2 uses branch target injection to speculatively execute kernel code at an address under an attacker's control. There are two common mitigations for Spectre V2. This patch includes a mitigation using Indirect Branch Restricted Speculation, a feature available via a microcode update from processor manufacturers. The alternate mitigation, Retpoline, is a feature available in newer compilers and is available in FreeBSD-CURRENT now. It will be made available in stable branches in the future. Patch ----- The patch against 11.1-RELEASE is available at https://people.freebsd.org/~emaste/patches/amd64_11.1_meltdown.3.patch A patched kernel will automatically enable PTI on Intel CPUs, and can be confirmed via the `vm.pmap.pti` sysctl: ``` # sysctl vm.pmap.pti vm.pmap.pti: 1 ``` The default setting can be overridden by setting loader tunable `vm.pmap.pti` to `1` or `0` in /boot/loader.conf. This setting takes effect at boot. The patch includes the IBRS mitigation for Spectre V2. To use the mitigation the system must have an updated microcode; with older microcode a patched kernel will function without the mitigation. IBRS can be disabled via the `hw.ibrs_disable` sysctl (and tunable), and the status can be checked via the `hw.ibrs_active` sysctl. IBRS may be enabled or disabled at runtime. Additional detail on microcode updates will follow. Limitations ----------- This patch does not apply to 10.x, and does not include mitigations for architectures other than amd64 (x86_64). This work is ongoing and will be available at a later date. Testing ------- We are soliciting functionality and performance results from testing this 11.1-RELEASE patch under a variety of workloads. If you have the ability to test, please apply the patch and run the system with your usual workload and follow up with details, either here or directly to me. Benchmark data from our testing will soon be shared more widely. In brief, the PTI mitigation shows on the order of a 30% impact on system call microbenchmarks, to 1% to 2% for realistic workloads. This work is supported by the FreeBSD Foundation.