File:  [NetBSD Developer Wiki] / wikisrc / security / meltdown_spectre.mdwn
Revision 1.23: download - view: text, annotated - select for diffs
Sun Apr 8 09:01:37 2018 UTC (4 years, 2 months ago) by maxv
Branches: MAIN
CVS tags: HEAD
add retpoline

    1: [[!meta title="Meltdown and Spectre Status Page"]]
    2: 
    3: Status of the Fixes
    4: -------------------
    5: 
    6: NetBSD-6, and all the anterior releases, have no planned fixes.
    7: 
    8: ## Spectre Variant 1
    9: 
   10: [[!table data="""
   11: Port		|Vendor/Model	|Spectre (V1)	|NetBSD-7	|NetBSD-8	|NetBSD-current
   12: amd64		|Intel		|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   13: amd64		|AMD		|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   14: amd64		|VIA		|Unknown	|		|		|
   15: i386		|Intel		|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   16: i386		|AMD		|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   17: i386		|VIA		|Unknown	|		|		|
   18: mips		|MIPS P5600	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   19: mips		|MIPS P6600	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   20: mips		|Other Models	|Not vulnerable	|		|		|
   21: ia64		|Intel		|Not vulnerable	|		|		|
   22: riscv		|(Spec.)	|Not vulnerable	|		|		|
   23: """]]
   24: 
   25: ## Spectre Variant 2
   26: 
   27: [[!table data="""
   28: Port		|Vendor/Model	|Spectre (V2)	|NetBSD-7	|NetBSD-8	|NetBSD-current
   29: amd64		|Intel		|Vulnerable	|Not fixed	|Not fixed	|Fixed [MitigB] [MitigD]
   30: amd64		|AMD		|Vulnerable	|Not fixed	|Not fixed	|Fixed [MitigC] [MitigD]
   31: amd64		|VIA		|Unknown	|		|		|
   32: i386		|Intel		|Vulnerable	|Not fixed	|Not fixed	|Fixed [MitigD]
   33: i386		|AMD		|Vulnerable	|Not fixed	|Not fixed	|Fixed [MitigC]
   34: i386		|VIA		|Unknown	|		|		|
   35: mips		|MIPS P5600	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   36: mips		|MIPS P6600	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   37: mips		|Other Models	|Not vulnerable	|		|		|
   38: ia64		|Intel		|Not vulnerable	|		|		|
   39: riscv		|(Spec.)	|Not vulnerable	|		|		|
   40: """]]
   41: 
   42: ## Meltdown
   43: 
   44: [[!table data="""
   45: Port		|Vendor/Model	|Meltdown (V3)	|NetBSD-7	|NetBSD-8	|NetBSD-current
   46: amd64		|Intel		|Vulnerable	|Not fixed	|Fixed [MitigA]	|Fixed [MitigA]
   47: amd64		|AMD		|Not vulnerable	|		|		|
   48: amd64		|VIA		|Unknown	|		|		|
   49: i386		|Intel		|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   50: i386		|AMD		|Not vulnerable	|		|		|
   51: i386		|VIA		|Unknown	|		|		|
   52: mips		|MIPS P5600	|Not vulnerable	|		|		|
   53: mips		|MIPS P6600	|Not vulnerable	|		|		|
   54: mips		|Other Models	|Not vulnerable	|		|		|
   55: ia64		|Intel		|Not vulnerable	|		|		|
   56: riscv		|(Spec.)	|Not vulnerable	|		|		|
   57: """]]
   58: 
   59: ## Mitigations
   60: 
   61: ### Mitigation A: SVS
   62: 
   63: Meltdown is mitigated with the SVS feature. It can be dynamically disabled
   64: by changing the "machdep.svs.enabled" sysctl.
   65: 
   66: ### Mitigation B: Intel IBRS
   67: 
   68: SpectreV2 can be mitigated with the IBRS method (Intel only for now). If
   69: the CPU supports this method, it is used automatically. It can be
   70: dynamically disabled by changing the "machdep.spectre_v2.mitigated"
   71: sysctl.
   72: 
   73: ### Mitigation C: AMD DIS_IND
   74: 
   75: SpectreV2 can be mitigated with the DIS_IND method, available only on a
   76: few AMD families. If the CPU supports this method, it is used
   77: automatically. It can be dynamically disabled by changing the
   78: "machdep.spectre_v2.mitigated" sysctl.
   79: 
   80: ### Mitigation D: Retpoline
   81: 
   82: SpectreV2 is mitigated in the kernel with the GCC "retpoline" compilation
   83: flag, which is enabled by default in GENERIC.
   84: 
   85: ## External Resources
   86: 
   87: * [MIPS Blog Post](https://www.mips.com/blog/mips-response-on-speculative-execution-and-side-channel-vulnerabilities/)
   88: * [ARM Security Update](https://developer.arm.com/support/security-update)
   89: * [RISC-V](https://riscv.org/2018/01/more-secure-world-risc-v-isa/)
   90: 
   91: ## Notes
   92: 
   93: * VIA Technologies did not issue any statement regarding their CPUs. It is not currently known whether they are affected.
   94: 

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb