Re: stable/11 r329462 - Meltdown/Spectre MFC questions

2018-02-18 Thread Shawn Webb 
On Sun, Feb 18, 2018 at 10:02:08PM +, Tim Daneliuk wrote:
> On 02/18/2018 09:50 PM, Eric A. Borisch wrote:
> > 
> > On Sun, Feb 18, 2018 at 3:17 PM Tim Daneliuk  > > wrote:
> > 
> > On 02/18/2018 05:47 PM, David Marec wrote:
> > > #cpucontrol??-u??-v??/dev/cpuctl0
> > > cpucontrol: skipping /usr/local/share/cpucontrol/m32306c3_0022.fw 
> > of rev??0x22:??up??to??date
> > 
> > 
> > While we're on the subject ... where does one find these microcode 
> > updates
> > anyway.?? On a 10.4-STABLE system, the command above blows out because
> > there is no director /usr/local/share/cpucontrol ... so I am missing
> > the magic to get it populated.
> > 
> > --
> > 
> > 
> > Tim Daneliuk?? ?? ??tun...@tundraware.com 
> > PGP Key:?? ?? ?? ?? ??http://www.tundraware.com/PGP/
> > 
> > 
> > It???s provided by the sysutils/devcpu-data port.
> > 
> > ??- Eric
> > 
> > 
> 
> 
> Yes thanks, I finally tripped across that myself :)  Do we have any insight on
> whether this addresses the latest vulnerabilities?

The latest Intel microcode gives CPUs affected by Spectre new MSRs,
one of which is to toggle IBRS. Vendors like Dell have started issuing
firmware updates that also applies the new CPU microcode. Check with
your vendor to see if they've shipped such firmware updates.

Having the CPU microcode applied is not enough. The OS needs to
support the new MSRs. FreeBSD 11-STABLE now does after the PTI and
IBRS MFCs.

Thanks,

-- 
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

Tor-ified Signal:+1 443-546-8752
GPG Key ID:  0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE


signature.asc
Description: PGP signature

Re: stable/11 r329462 - Meltdown/Spectre MFC questions

2018-02-18 Thread Tim Daneliuk 
On 02/18/2018 09:50 PM, Eric A. Borisch wrote:
> 
> On Sun, Feb 18, 2018 at 3:17 PM Tim Daneliuk  > wrote:
> 
> On 02/18/2018 05:47 PM, David Marec wrote:
> > #cpucontrol -u -v /dev/cpuctl0
> > cpucontrol: skipping /usr/local/share/cpucontrol/m32306c3_0022.fw 
> of rev 0x22: up to date
> 
> 
> While we're on the subject ... where does one find these microcode updates
> anyway.  On a 10.4-STABLE system, the command above blows out because
> there is no director /usr/local/share/cpucontrol ... so I am missing
> the magic to get it populated.
> 
> --
> 
> 
> Tim Daneliuk     tun...@tundraware.com 
> PGP Key:         http://www.tundraware.com/PGP/
> 
> 
> It’s provided by the sysutils/devcpu-data port.
> 
>  - Eric
> 
> 


Yes thanks, I finally tripped across that myself :)  Do we have any insight on
whether this addresses the latest vulnerabilities?

-- 

Tim Daneliuk tun...@tundraware.com
PGP Key: http://www.tundraware.com/PGP/

___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: stable/11 r329462 - Meltdown/Spectre MFC questions

2018-02-18 Thread Eric A. Borisch 
On Sun, Feb 18, 2018 at 3:17 PM Tim Daneliuk  wrote:

> On 02/18/2018 05:47 PM, David Marec wrote:
> > #cpucontrol -u -v /dev/cpuctl0
> > cpucontrol: skipping /usr/local/share/cpucontrol/m32306c3_0022.fw of
> rev 0x22: up to date
>
>
> While we're on the subject ... where does one find these microcode updates
> anyway.  On a 10.4-STABLE system, the command above blows out because
> there is no director /usr/local/share/cpucontrol ... so I am missing
> the magic to get it populated.
>
> --
>
> 
> Tim Daneliuk tun...@tundraware.com
> PGP Key: http://www.tundraware.com/PGP/


It’s provided by the sysutils/devcpu-data port.

 - Eric


>
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: stable/11 r329462 - Meltdown/Spectre MFC questions

2018-02-18 Thread Tim Daneliuk 
On 02/18/2018 05:47 PM, David Marec wrote:
> #cpucontrol -u -v /dev/cpuctl0
> cpucontrol: skipping /usr/local/share/cpucontrol/m32306c3_0022.fw of rev 
> 0x22: up to date


While we're on the subject ... where does one find these microcode updates
anyway.  On a 10.4-STABLE system, the command above blows out because
there is no director /usr/local/share/cpucontrol ... so I am missing
the magic to get it populated.

-- 

Tim Daneliuk tun...@tundraware.com
PGP Key: http://www.tundraware.com/PGP/

___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: stable/11 r329462 - Meltdown/Spectre MFC questions

2018-02-18 Thread David Marec 

On 18.02.2018 17:50, Shawn Webb wrote:


Strange thing is that tweaking `hw.ibrs_disable` has no effect on
`hw.ibrs_active` on my side.


Did you install the latest Intel microcode update?



Hum, I thought I did, but I don't know actually if the following is the 
latest revision of the microcode:


#cpucontrol -u -v /dev/cpuctl0
cpucontrol: skipping /usr/local/share/cpucontrol/m32306c3_0022.fw of 
rev 0x22: up to date





--
David Marec
https://lapinbilly.eu/
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: stable/11 r329462 - Meltdown/Spectre MFC questions

2018-02-18 Thread Shawn Webb 
On Sun, Feb 18, 2018 at 05:04:55PM +0100, David Marec wrote:
> On 17.02.2018 20:47, Jeremy Chadwick wrote:
> > hw.ibrs_disable
> >- Description: Disable Indirect Branch Restricted Speculation
> >- Loader tunable and sysctl tunable (read-write)
> >- Integer
> >- Default value: unsure.  Variable declaration has 1 but
> >  SYSCTL_PROC() macro has 0.
> > 
> 
> 
> Strange thing is that tweaking `hw.ibrs_disable` has no effect on
> `hw.ibrs_active` on my side.

Did you install the latest Intel microcode update?

Thanks,

-- 
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

Tor-ified Signal:+1 443-546-8752
GPG Key ID:  0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE


signature.asc
Description: PGP signature

Re: stable/11 r329462 - Meltdown/Spectre MFC questions

2018-02-18 Thread David Marec 

On 17.02.2018 20:47, Jeremy Chadwick wrote:

hw.ibrs_disable
   - Description: Disable Indirect Branch Restricted Speculation
   - Loader tunable and sysctl tunable (read-write)
   - Integer
   - Default value: unsure.  Variable declaration has 1 but
 SYSCTL_PROC() macro has 0.




Strange thing is that tweaking `hw.ibrs_disable` has no effect on 
`hw.ibrs_active` on my side.


--
David Marec
https://lapinbilly.eu/
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: stable/11 r329462 - Meltdown/Spectre MFC questions

2018-02-18 Thread Mike Tancsa 

did a few simple buildworlds before and after on an Epyc box, and it had
no significant impact. Its vulnerable just to spectre.  I am just
updating an intel box to see the impact of the Meltdown fixes.  From
what I recall, apps that do a lot of system calls will have the largest
impact.

---Mike


On 2/17/2018 3:38 PM, Pete French wrote:
> 
> 
> On 17/02/2018 20:19, Matt Smith wrote:
> 
>> And thank you for pointing this out. I can now just wait a while to
>> see what comes along rather than accidentally upgrading it and killing
>> the already really slow performance.
>>
> I was just looking at this too, and wondering what (if any) the
> performance impact is on FreeBSD. I had a quick google to see if I could
> fine anything on current about it, but no luck. Anyone done any
> measurements ?
> 
> -pete.
> ___
> freebsd-stable@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
> 
> 


-- 
---
Mike Tancsa, tel +1 519 651 3400 x203
Sentex Communications, m...@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: stable/11 r329462 - Meltdown/Spectre MFC questions

2018-02-17 Thread Kevin Oberman 
On Sat, Feb 17, 2018 at 12:38 PM, Pete French 
wrote:

>
>
> On 17/02/2018 20:19, Matt Smith wrote:
>
> And thank you for pointing this out. I can now just wait a while to see
>> what comes along rather than accidentally upgrading it and killing the
>> already really slow performance.
>>
>> I was just looking at this too, and wondering what (if any) the
> performance impact is on FreeBSD. I had a quick google to see if I could
> fine anything on current about it, but no luck. Anyone done any
> measurements ?
>
> -pete.


Well, I would also like a bit of information on this. When I get a moment
I'll see if I can find anything on this on the current@ archive.

Looks like all are loadables, so need to be defined in /boot/loader.conf
and can only be changed on a boot  with the exception of hw.ibrs_disable
which is settable either at boot or via sysctl. Looks like that is the one
to twiddle to check on impact.

I'm currently updating my stable system as this hit the tree after my
morning updates.
--
Kevin Oberman, Part time kid herder and retired Network Engineer
E-mail: rkober...@gmail.com
PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: stable/11 r329462 - Meltdown/Spectre MFC questions

2018-02-17 Thread Pete French 



On 17/02/2018 20:19, Matt Smith wrote:

And thank you for pointing this out. I can now just wait a while to see 
what comes along rather than accidentally upgrading it and killing the 
already really slow performance.


I was just looking at this too, and wondering what (if any) the 
performance impact is on FreeBSD. I had a quick google to see if I could 
fine anything on current about it, but no luck. Anyone done any 
measurements ?


-pete.
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: stable/11 r329462 - Meltdown/Spectre MFC questions

2018-02-17 Thread Matt Smith 

On Feb 17 11:47, Jeremy Chadwick wrote:

Reference: https://svnweb.freebsd.org/base?view=revision=329462

Do the following new loader tunables and sysctls have documentation
anywhere?  I ask because I wish to know how to turn all of this off (yes
you heard me correctly), as not all systems necessarily require
mitigation of these flaws.



+1. I have an Intel Atom D525 "Pineview" which I'm led to believe 
doesn't have these flaws and therefore unless it's detected and disabled 
automatically I too would like to have documentation on how to view the 
current status, and disable it as required.


And thank you for pointing this out. I can now just wait a while to see 
what comes along rather than accidentally upgrading it and killing the 
already really slow performance.


--
Matt
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

stable/11 r329462 - Meltdown/Spectre MFC questions

2018-02-17 Thread Jeremy Chadwick 
Reference: https://svnweb.freebsd.org/base?view=revision=329462

Do the following new loader tunables and sysctls have documentation
anywhere?  I ask because I wish to know how to turn all of this off (yes
you heard me correctly), as not all systems necessarily require
mitigation of these flaws.

Best I can tell from skimming source:

vm.pmap.pti
  - Description: Page Table Isolation enabled
  - Loader tunable, visible in sysctl (read-only)
  - Integer
  - Default value: depends on CPU model and capabilities, see
function pti_get_default(); looks like AMD = 0, any CPU with
RDCL_NO capability enabled = 0, else 1

hw.ibrs_active
  - Description: Indirect Branch Restricted Speculation active
  - sysctl (read-only)
  - Integer
  - Real-time indicator as to if IBRS is currently on or off

hw.ibrs_disable 
  - Description: Disable Indirect Branch Restricted Speculation
  - Loader tunable and sysctl tunable (read-write)
  - Integer
  - Default value: unsure.  Variable declaration has 1 but
SYSCTL_PROC() macro has 0.

Thank you.

-- 
| Jeremy Chadwick   j...@koitsu.org |
| UNIX Systems Administratorhttp://jdc.koitsu.org/ |
| Making life hard for others since 1977. PGP 4BD6C0CB |

___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"