|
version 1.30, 2018/05/22 07:37:22
|
version 1.31, 2018/05/22 08:24:53
|
|
Line 94 riscv |(Spec.) |Not vulnerable | | |
|
Line 94 riscv |(Spec.) |Not vulnerable | | |
|
| |
|
| ## Spectre Variant 3a |
## Spectre Variant 3a |
| |
|
| This issue will be addressed in future microcode updates. No software |
This issue will be addressed in future microcode updates on x86. No |
| change is required. |
software change is required. |
| |
|
| ## Spectre Variant 4 |
## Spectre Variant 4 |
| |
|
|
Line 116 i386 |VIA |Unknown | | |
|
Line 116 i386 |VIA |Unknown | | |
|
| Meltdown is mitigated with the SVS feature. It can be dynamically disabled |
Meltdown is mitigated with the SVS feature. It can be dynamically disabled |
| by changing the "machdep.svs.enabled" sysctl. |
by changing the "machdep.svs.enabled" sysctl. |
| |
|
| ### Mitigation B: Intel IBRS |
### Mitigations B, C, D |
| |
|
| SpectreV2 can be mitigated with the IBRS method (Intel only for now). If |
There is no unified mitigation for SpectreV2. Rather, a set of mitigations |
| the CPU supports this method, it is used automatically. It can be |
are available, in both hardware and software. |
| dynamically disabled by changing the "machdep.spectre_v2.mitigated" |
|
| sysctl. |
Three sysctls exist, under the machdep.spectre_v2 node: |
| |
|
| |
[[!template id=programlisting text=""" |
| |
machdep.spectre_v2.hwmitigated = {0/1} user-settable |
| |
machdep.spectre_v2.swmitigated = {0/1} set by the kernel |
| |
machdep.spectre_v2.method = {string} set by the kernel |
| |
"""]] |
| |
|
| |
Only hwmitigated can be set by the user. When set to one, the kernel will |
| |
determine the best hardware mitigation available for the currently |
| |
running CPU, and will apply it. |
| |
|
| |
#### Mitigation B: Intel IBRS |
| |
|
| |
Hardware mitigation, Intel only (for now). If the CPU supports this method, |
| |
it is used automatically by the kernel. It can be dynamically |
| |
enabled/disabled by changing the "hwmitigated" sysctl. |
| |
|
| ### Mitigation C: AMD DIS_IND |
#### Mitigation C: AMD DIS_IND |
| |
|
| SpectreV2 can be mitigated with the DIS_IND method, available only on a |
Hardware mitigation, available only on a few AMD families. If the CPU |
| few AMD families. If the CPU supports this method, it is used |
supports this method, it is used automatically by the kernel. It can be |
| automatically. It can be dynamically disabled by changing the |
dynamically enabled/disabled by changing the "hwmitigated" sysctl. |
| "machdep.spectre_v2.mitigated" sysctl. |
|
| |
|
| ### Mitigation D: Retpoline |
#### Mitigation D: GCC Retpoline |
| |
|
| SpectreV2 is mitigated in the kernel with the GCC "retpoline" compilation |
Software mitigation. It is enabled by default in GENERIC. When enabled, |
| flag, which is enabled by default in GENERIC. |
the "swmitigated" sysctl is set to one. |
| |
|
| ### Mitigation E: Intel SSBD |
### Mitigation E: Intel SSBD |
| |
|
![[BACK]](/icons/back.gif){kind=icon}
Return to meltdown_spectre.mdwn CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [NetBSD Developer Wiki] / wikisrc / security