File:  [NetBSD Developer Wiki] / wikisrc / security / meltdown_spectre.mdwn
Revision 1.27: download - view: text, annotated - select for diffs
Fri May 4 07:30:58 2018 UTC (4 years ago) by maxv
Branches: MAIN
CVS tags: HEAD
Add ARM, many are affected. Copied as-is from the ARM security page. I
don't know which port(s) they belong to.

    1: [[!meta title="Meltdown and Spectre Status Page"]]
    2: 
    3: Status of the Fixes
    4: -------------------
    5: 
    6: NetBSD-6, and all the anterior releases, have no planned fixes.
    7: 
    8: ## Spectre Variant 1
    9: 
   10: [[!table data="""
   11: Port		|Vendor/Model	|Spectre (V1)	|NetBSD-7	|NetBSD-8	|NetBSD-current
   12: amd64		|Intel		|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   13: amd64		|AMD		|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   14: amd64		|VIA		|Unknown	|		|		|
   15: i386		|Intel		|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   16: i386		|AMD		|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   17: i386		|VIA		|Unknown	|		|		|
   18: mips		|MIPS P5600	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   19: mips		|MIPS P6600	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   20: mips		|MIPS (others)	|Not vulnerable	|		|		|
   21: ia64		|Intel		|Not vulnerable	|		|		|
   22: riscv		|(Spec.)	|Not vulnerable	|		|		|
   23: 		|ARM Cortex-R7	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   24: 		|ARM Cortex-R8	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   25: 		|ARM Cortex-A8	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   26: 		|ARM Cortex-A9	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   27: 		|ARM Cortex-A12	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   28: 		|ARM Cortex-A15	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   29: 		|ARM Cortex-A17	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   30: 		|ARM Cortex-A57	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   31: 		|ARM Cortex-A72	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   32: 		|ARM Cortex-A73	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   33: 		|ARM Cortex-A75	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   34: 		|ARM (others)	|Not vulnerable	|		|		|
   35: """]]
   36: 
   37: ## Spectre Variant 2
   38: 
   39: [[!table data="""
   40: Port		|Vendor/Model	|Spectre (V2)	|NetBSD-7	|NetBSD-8	|NetBSD-current
   41: amd64		|Intel		|Vulnerable	|Not fixed	|Fixed [MitigD]	|Fixed [MitigB] [MitigD]
   42: amd64		|AMD		|Vulnerable	|Not fixed	|Fixed [MitigD]	|Fixed [MitigC] [MitigD]
   43: amd64		|VIA		|Unknown	|		|		|
   44: i386		|Intel		|Vulnerable	|Not fixed	|Fixed [MitigD]	|Fixed [MitigD]
   45: i386		|AMD		|Vulnerable	|Not fixed	|Fixed [MitigD]	|Fixed [MitigC] [MitigD]
   46: i386		|VIA		|Unknown	|		|		|
   47: 		|MIPS P5600	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   48: 		|MIPS P6600	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   49: 		|MIPS (others)	|Not vulnerable	|		|		|
   50: ia64		|Intel		|Not vulnerable	|		|		|
   51: riscv		|(Spec.)	|Not vulnerable	|		|		|
   52: 		|ARM Cortex-R7	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   53: 		|ARM Cortex-R8	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   54: 		|ARM Cortex-A8	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   55: 		|ARM Cortex-A9	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   56: 		|ARM Cortex-A12	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   57: 		|ARM Cortex-A15	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   58: 		|ARM Cortex-A17	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   59: 		|ARM Cortex-A57	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   60: 		|ARM Cortex-A72	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   61: 		|ARM Cortex-A73	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   62: 		|ARM Cortex-A75	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   63: 		|ARM (others)	|Not vulnerable	|		|		|
   64: """]]
   65: 
   66: ## Meltdown
   67: 
   68: [[!table data="""
   69: Port		|Vendor/Model	|Meltdown (V3)	|NetBSD-7	|NetBSD-8	|NetBSD-current
   70: amd64		|Intel		|Vulnerable	|Not fixed	|Fixed [MitigA]	|Fixed [MitigA]
   71: amd64		|AMD		|Not vulnerable	|		|		|
   72: amd64		|VIA		|Unknown	|		|		|
   73: i386		|Intel		|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   74: i386		|AMD		|Not vulnerable	|		|		|
   75: i386		|VIA		|Unknown	|		|		|
   76: 		|MIPS P5600	|Not vulnerable	|		|		|
   77: 		|MIPS P6600	|Not vulnerable	|		|		|
   78: 		|MIPS (others)	|Not vulnerable	|		|		|
   79: ia64		|Intel		|Not vulnerable	|		|		|
   80: riscv		|(Spec.)	|Not vulnerable	|		|		|
   81: 		|ARM Cortex-R7	|Not vulnerable	|		|		|
   82: 		|ARM Cortex-R8	|Not vulnerable	|		|		|
   83: 		|ARM Cortex-A8	|Not vulnerable	|		|		|
   84: 		|ARM Cortex-A9	|Not vulnerable	|		|		|
   85: 		|ARM Cortex-A12	|Not vulnerable	|		|		|
   86: 		|ARM Cortex-A15	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   87: 		|ARM Cortex-A17	|Not vulnerable	|		|		|
   88: 		|ARM Cortex-A57	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   89: 		|ARM Cortex-A72	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   90: 		|ARM Cortex-A73	|Not vulnerable	|		|		|
   91: 		|ARM Cortex-A75	|Not vulnerable	|		|		|
   92: 		|ARM (others)	|Not vulnerable	|		|		|
   93: """]]
   94: 
   95: ## Mitigations
   96: 
   97: ### Mitigation A: SVS
   98: 
   99: Meltdown is mitigated with the SVS feature. It can be dynamically disabled
  100: by changing the "machdep.svs.enabled" sysctl.
  101: 
  102: ### Mitigation B: Intel IBRS
  103: 
  104: SpectreV2 can be mitigated with the IBRS method (Intel only for now). If
  105: the CPU supports this method, it is used automatically. It can be
  106: dynamically disabled by changing the "machdep.spectre_v2.mitigated"
  107: sysctl.
  108: 
  109: ### Mitigation C: AMD DIS_IND
  110: 
  111: SpectreV2 can be mitigated with the DIS_IND method, available only on a
  112: few AMD families. If the CPU supports this method, it is used
  113: automatically. It can be dynamically disabled by changing the
  114: "machdep.spectre_v2.mitigated" sysctl.
  115: 
  116: ### Mitigation D: Retpoline
  117: 
  118: SpectreV2 is mitigated in the kernel with the GCC "retpoline" compilation
  119: flag, which is enabled by default in GENERIC.
  120: 
  121: ## External Resources
  122: 
  123: * [MIPS Blog Post](https://www.mips.com/blog/mips-response-on-speculative-execution-and-side-channel-vulnerabilities/)
  124: * [ARM Security Update](https://developer.arm.com/support/security-update)
  125: * [RISC-V](https://riscv.org/2018/01/more-secure-world-risc-v-isa/)
  126: 
  127: ## Notes
  128: 
  129: * VIA Technologies did not issue any statement regarding their CPUs. It is not currently known whether they are affected.
  130: 

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb