Episode Details

Back to Episodes
230: Your questions, Part III

230: Your questions, Part III

Published 8 years, 2 months ago
Description

We provide you with updates to Spectre and Meltdown from various BSD projects, a review of TrueOS from Linux, how to set up FreeBSD on ThinkPad x240, and a whole bunch of beastie bits.

This episode was brought to you by

iXsystems - Enterprise Servers and Storage for Open SourceDigitalOcean - Simple Cloud Hosting, Built for DevelopersTarsnap - Online Backups for the Truly Paranoid

Headlines

KPTI patch lands in FreeBSD -current

  • After a heroic effort by Konstantin Belousov kib@FreeBSD.org, the first meltdown patch has landed in FreeBSD
  • This creates separate page tables for the Kernel and userland, and switches between them when executions enters the kernel, and when it returns to userland
  • It is currently off by default, but you are encouraged to test it, so it can be merged back to the release branches. Set vm.pmap.pti=1 in /boot/loader.conf
  • The existing implementation of PCID (process-context identifiers), is not compatible with the new PTI code, and is disabled when PTI is enabled, decreasing performance. A future patch will use PCID in a way that is compatible with PTI.
  • PCID allows the OS to annotate memory mappings to specific processes, so that they can be flushed selectively, and so that they are only used when in the context of that application.
  • Once the developers are relatively confident in the correctness of the code that has landed in -current, it will be ported back to FreeBSD 10 and 11, and released as a security advisory.
  • Apparently porting back to FreeBSD 11 only has some relatively simple merge conflicts, but 10 will be more work.
  • Former FreeBSD Security Officer Dag-Erling Smørgrav has created a meltdown testing and PoC tool that you can use to check your system. It is not finished yet, and doesn’t seem to work with newer processors (haswell and newer).
  • The first partial mitigation for Spectre variant 2 for bhyve on AMD64 has also been committed
  • The latest information is always available on the FreeBSD Wiki ***

Some thoughts on Spectre and Meltdown

  • Colin Percival breaks down how these vulnerabilities work, with same nice analogies
  • What is a side channel:

I want to know when my girlfriend's passport expires, but she won't show me her passport (she complains that it has a horrible photo) and refuses to tell me the expiry date. I tell her that I'm going to take her to Europe on vacation in August and watch what happens: If she runs out to renew her passport, I know that it will expire before August; while if she doesn't get her passport renewed, I know that it will remain valid beyond that date. Her desire to ensure that her passport would be valid inadvertently revealed to me some information: Whether its expiry date was before or after August.

  • Spectre Variant 1:

I tell my girlfriend that I'm going to take her on vacation in June, but I don't tell her where yet; however, she knows that it will either be somewhere within Canada (for which she doesn't need a passport, since we live in V

Listen Now

Love PodBriefly?

If you like Podbriefly.com, please consider donating to support the ongoing development.

Support Us