Annotation of wikisrc/security/meltdown_spectre.mdwn, revision 1.34

1.6       maxv        1: [[!meta title="Meltdown and Spectre Status Page"]]
1.1       maxv        2: 
                      3: Status of the Fixes
                      4: -------------------
                      5: 
1.18      maxv        6: NetBSD-6, and all the anterior releases, have no planned fixes.
                      7: 
1.7       maxv        8: ## Spectre Variant 1
                      9: 
1.1       maxv       10: [[!table data="""
1.18      maxv       11: Port           |Vendor/Model   |Spectre (V1)   |NetBSD-7       |NetBSD-8       |NetBSD-current
                     12: amd64          |Intel          |Vulnerable     |Not fixed      |Not fixed      |Not fixed
                     13: amd64          |AMD            |Vulnerable     |Not fixed      |Not fixed      |Not fixed
                     14: amd64          |VIA            |Unknown        |               |               |
                     15: i386           |Intel          |Vulnerable     |Not fixed      |Not fixed      |Not fixed
                     16: i386           |AMD            |Vulnerable     |Not fixed      |Not fixed      |Not fixed
                     17: i386           |VIA            |Unknown        |               |               |
1.34    ! maxv       18: mips           |MIPS P5600     |Vulnerable     |Not fixed      |Not fixed      |Not fixed
        !            19: mips           |MIPS P6600     |Vulnerable     |Not fixed      |Not fixed      |Not fixed
        !            20: mips           |MIPS (others)  |Not vulnerable |               |               |
1.18      maxv       21: ia64           |Intel          |Not vulnerable |               |               |
1.34    ! maxv       22: riscv          |(spec)         |Not vulnerable |               |               |
        !            23: arm            |ARM Cortex-R7  |Vulnerable     |Not fixed      |Not fixed      |Not fixed
        !            24: arm            |ARM Cortex-R8  |Vulnerable     |Not fixed      |Not fixed      |Not fixed
        !            25: arm            |ARM Cortex-A8  |Vulnerable     |Not fixed      |Not fixed      |Not fixed
        !            26: arm            |ARM Cortex-A9  |Vulnerable     |Not fixed      |Not fixed      |Not fixed
        !            27: arm            |ARM Cortex-A12 |Vulnerable     |Not fixed      |Not fixed      |Not fixed
        !            28: arm            |ARM Cortex-A15 |Vulnerable     |Not fixed      |Not fixed      |Not fixed
        !            29: arm            |ARM Cortex-A17 |Vulnerable     |Not fixed      |Not fixed      |Not fixed
        !            30: arm            |ARM Cortex-A57 |Vulnerable     |Not fixed      |Not fixed      |Not fixed
        !            31: arm            |ARM Cortex-A72 |Vulnerable     |Not fixed      |Not fixed      |Not fixed
        !            32: arm            |ARM Cortex-A73 |Vulnerable     |Not fixed      |Not fixed      |Not fixed
        !            33: arm            |ARM Cortex-A75 |Vulnerable     |Not fixed      |Not fixed      |Not fixed
        !            34: arm            |ARM (others)   |Not vulnerable |               |               |
1.1       maxv       35: """]]
                     36: 
1.7       maxv       37: ## Spectre Variant 2
                     38: 
1.1       maxv       39: [[!table data="""
1.18      maxv       40: Port           |Vendor/Model   |Spectre (V2)   |NetBSD-7       |NetBSD-8       |NetBSD-current
1.26      maxv       41: amd64          |Intel          |Vulnerable     |Not fixed      |Fixed [MitigD] |Fixed [MitigB] [MitigD]
                     42: amd64          |AMD            |Vulnerable     |Not fixed      |Fixed [MitigD] |Fixed [MitigC] [MitigD]
1.18      maxv       43: amd64          |VIA            |Unknown        |               |               |
1.26      maxv       44: i386           |Intel          |Vulnerable     |Not fixed      |Fixed [MitigD] |Fixed [MitigD]
                     45: i386           |AMD            |Vulnerable     |Not fixed      |Fixed [MitigD] |Fixed [MitigC] [MitigD]
1.18      maxv       46: i386           |VIA            |Unknown        |               |               |
1.34    ! maxv       47: mips           |MIPS P5600     |Vulnerable     |Not fixed      |Not fixed      |Not fixed
        !            48: mips           |MIPS P6600     |Vulnerable     |Not fixed      |Not fixed      |Not fixed
        !            49: mips           |MIPS (others)  |Not vulnerable |               |               |
1.18      maxv       50: ia64           |Intel          |Not vulnerable |               |               |
1.34    ! maxv       51: riscv          |(spec)         |Not vulnerable |               |               |
        !            52: arm            |ARM Cortex-R7  |Vulnerable     |Not fixed      |Not fixed      |Not fixed
        !            53: arm            |ARM Cortex-R8  |Vulnerable     |Not fixed      |Not fixed      |Not fixed
        !            54: arm            |ARM Cortex-A8  |Vulnerable     |Not fixed      |Not fixed      |Not fixed
        !            55: arm            |ARM Cortex-A9  |Vulnerable     |Not fixed      |Not fixed      |Not fixed
        !            56: arm            |ARM Cortex-A12 |Vulnerable     |Not fixed      |Not fixed      |Not fixed
        !            57: arm            |ARM Cortex-A15 |Vulnerable     |Not fixed      |Not fixed      |Not fixed
        !            58: arm            |ARM Cortex-A17 |Vulnerable     |Not fixed      |Not fixed      |Not fixed
        !            59: arm            |ARM Cortex-A57 |Vulnerable     |Not fixed      |Not fixed      |Not fixed
        !            60: arm            |ARM Cortex-A72 |Vulnerable     |Not fixed      |Not fixed      |Not fixed
        !            61: arm            |ARM Cortex-A73 |Vulnerable     |Not fixed      |Not fixed      |Not fixed
        !            62: arm            |ARM Cortex-A75 |Vulnerable     |Not fixed      |Not fixed      |Not fixed
        !            63: arm            |ARM (others)   |Not vulnerable |               |               |
1.1       maxv       64: """]]
                     65: 
1.7       maxv       66: ## Meltdown
                     67: 
1.1       maxv       68: [[!table data="""
1.18      maxv       69: Port           |Vendor/Model   |Meltdown (V3)  |NetBSD-7       |NetBSD-8       |NetBSD-current
1.20      maxv       70: amd64          |Intel          |Vulnerable     |Not fixed      |Fixed [MitigA] |Fixed [MitigA]
1.18      maxv       71: amd64          |AMD            |Not vulnerable |               |               |
                     72: amd64          |VIA            |Unknown        |               |               |
                     73: i386           |Intel          |Vulnerable     |Not fixed      |Not fixed      |Not fixed
                     74: i386           |AMD            |Not vulnerable |               |               |
                     75: i386           |VIA            |Unknown        |               |               |
1.34    ! maxv       76: mips           |(all)          |Not vulnerable |               |               |
1.18      maxv       77: ia64           |Intel          |Not vulnerable |               |               |
1.34    ! maxv       78: riscv          |(spec)         |Not vulnerable |               |               |
        !            79: arm            |ARM Cortex-A15 |Vulnerable     |Not fixed      |Not fixed      |Not fixed
        !            80: arm            |ARM Cortex-A57 |Vulnerable     |Not fixed      |Not fixed      |Not fixed
        !            81: arm            |ARM Cortex-A72 |Vulnerable     |Not fixed      |Not fixed      |Not fixed
        !            82: arm            |ARM Cortex-A75 |Vulnerable     |Not fixed      |Not fixed      |Not fixed
        !            83: arm            |ARM (others)   |Not vulnerable |               |               |
1.1       maxv       84: """]]
                     85: 
1.30      maxv       86: ## Spectre Variant 3a
                     87: 
1.31      maxv       88: This issue will be addressed in future microcode updates on x86. No
                     89: software change is required.
1.30      maxv       90: 
1.29      maxv       91: ## Spectre Variant 4
                     92: 
                     93: [[!table data="""
                     94: Port           |Vendor/Model   |Spectre (V4)   |NetBSD-7       |NetBSD-8       |NetBSD-current
                     95: amd64          |Intel          |Vulnerable     |Not fixed      |Not fixed      |Fixed [MitigE]
1.32      maxv       96: amd64          |AMD            |Vulnerable     |Not fixed      |Not fixed      |Fixed [MitigF]
1.29      maxv       97: amd64          |VIA            |Unknown        |               |               |
                     98: i386           |Intel          |Vulnerable     |Not fixed      |Not fixed      |Fixed [MitigE]
1.32      maxv       99: i386           |AMD            |Vulnerable     |Not fixed      |Not fixed      |Fixed [MitigF]
1.29      maxv      100: i386           |VIA            |Unknown        |               |               |
1.34    ! maxv      101: arm            |ARM Cortex-A57 |Vulnerable     |Not fixed      |Not fixed      |Not fixed
        !           102: arm            |ARM Cortex-A72 |Vulnerable     |Not fixed      |Not fixed      |Not fixed
        !           103: arm            |ARM Cortex-A73 |Vulnerable     |Not fixed      |Not fixed      |Not fixed
        !           104: arm            |ARM Cortex-A75 |Vulnerable     |Not fixed      |Not fixed      |Not fixed
        !           105: arm            |ARM (others)   |Not vulnerable |               |               |
1.29      maxv      106: """]]
                    107: 
1.16      maxv      108: ## Mitigations
                    109: 
                    110: ### Mitigation A: SVS
                    111: 
                    112: Meltdown is mitigated with the SVS feature. It can be dynamically disabled
                    113: by changing the "machdep.svs.enabled" sysctl.
                    114: 
1.31      maxv      115: ### Mitigations B, C, D
1.19      maxv      116: 
1.31      maxv      117: There is no unified mitigation for SpectreV2. Rather, a set of mitigations
                    118: are available, in both hardware and software.
                    119: 
                    120: Three sysctls exist, under the machdep.spectre_v2 node:
                    121: 
                    122: [[!template id=programlisting text="""
                    123: machdep.spectre_v2.hwmitigated = {0/1} user-settable
                    124: machdep.spectre_v2.swmitigated = {0/1} set by the kernel
1.32      maxv      125: machdep.spectre_v2.method = {string} constructed by the kernel
1.31      maxv      126: """]]
                    127: 
1.32      maxv      128: Only "hwmitigated" can be set by the user. When set to one, the kernel will
1.31      maxv      129: determine the best hardware mitigation available for the currently
                    130: running CPU, and will apply it.
                    131: 
                    132: #### Mitigation B: Intel IBRS
                    133: 
                    134: Hardware mitigation, Intel only (for now). If the CPU supports this method,
                    135: it is used automatically by the kernel. It can be dynamically
                    136: enabled/disabled by changing the "hwmitigated" sysctl.
1.19      maxv      137: 
1.31      maxv      138: #### Mitigation C: AMD DIS_IND
1.19      maxv      139: 
1.31      maxv      140: Hardware mitigation, available only on a few AMD families. If the CPU
                    141: supports this method, it is used automatically by the kernel. It can be
                    142: dynamically enabled/disabled by changing the "hwmitigated" sysctl.
1.19      maxv      143: 
1.31      maxv      144: #### Mitigation D: GCC Retpoline
1.23      maxv      145: 
1.31      maxv      146: Software mitigation. It is enabled by default in GENERIC. When enabled,
                    147: the "swmitigated" sysctl is set to one.
1.23      maxv      148: 
1.32      maxv      149: ### Mitigations E, F
1.29      maxv      150: 
1.32      maxv      151: There are two available mitigations for SpectreV4. Their availability
                    152: depends on the CPU model and the microcode or BIOS revision.
                    153: 
                    154: [[!template id=programlisting text="""
                    155: machdep.spectre_v4.mitigated = {0/1} user-settable
                    156: machdep.spectre_v4.method = {string} constructed by the kernel
                    157: """]]
                    158: 
                    159: Only "mitigated" can be set by the user. When set to one, the kernel will
                    160: determine the best hardware mitigation available for the currently
                    161: running CPU, and will apply it.
                    162: 
                    163: #### Mitigation E: Intel SSBD
                    164: 
1.33      maxv      165: Available only on Intel (for now). It can be dynamically enabled/disabled
                    166: by changing the "mitigated" sysctl.
1.32      maxv      167: 
                    168: #### Mitigation F: AMD NONARCH
                    169: 
                    170: Available only on AMD families 15h and 16h. It can be dynamically
                    171: enabled/disabled by changing the "mitigated" sysctl.
1.29      maxv      172: 
1.10      maxv      173: ## External Resources
                    174: 
1.11      maxv      175: * [MIPS Blog Post](https://www.mips.com/blog/mips-response-on-speculative-execution-and-side-channel-vulnerabilities/)
1.12      maxv      176: * [ARM Security Update](https://developer.arm.com/support/security-update)
1.15      maxv      177: * [RISC-V](https://riscv.org/2018/01/more-secure-world-risc-v-isa/)
1.10      maxv      178: 
1.13      maxv      179: ## Notes
                    180: 
                    181: * VIA Technologies did not issue any statement regarding their CPUs. It is not currently known whether they are affected.
                    182: 

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb