File:  [NetBSD Developer Wiki] / wikisrc / security / meltdown_spectre.mdwn
Revision 1.30: download - view: text, annotated - select for diffs
Tue May 22 07:37:22 2018 UTC (3 years, 11 months ago) by maxv
Branches: MAIN
CVS tags: HEAD
Mention SpectreV3a.

    1: [[!meta title="Meltdown and Spectre Status Page"]]
    2: 
    3: Status of the Fixes
    4: -------------------
    5: 
    6: NetBSD-6, and all the anterior releases, have no planned fixes.
    7: 
    8: ## Spectre Variant 1
    9: 
   10: [[!table data="""
   11: Port		|Vendor/Model	|Spectre (V1)	|NetBSD-7	|NetBSD-8	|NetBSD-current
   12: amd64		|Intel		|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   13: amd64		|AMD		|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   14: amd64		|VIA		|Unknown	|		|		|
   15: i386		|Intel		|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   16: i386		|AMD		|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   17: i386		|VIA		|Unknown	|		|		|
   18: 		|MIPS P5600	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   19: 		|MIPS P6600	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   20: 		|MIPS (others)	|Not vulnerable	|		|		|
   21: ia64		|Intel		|Not vulnerable	|		|		|
   22: riscv		|(Spec.)	|Not vulnerable	|		|		|
   23: 		|ARM Cortex-R7	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   24: 		|ARM Cortex-R8	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   25: 		|ARM Cortex-A8	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   26: 		|ARM Cortex-A9	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   27: 		|ARM Cortex-A12	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   28: 		|ARM Cortex-A15	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   29: 		|ARM Cortex-A17	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   30: 		|ARM Cortex-A57	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   31: 		|ARM Cortex-A72	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   32: 		|ARM Cortex-A73	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   33: 		|ARM Cortex-A75	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   34: 		|ARM (others)	|Not vulnerable	|		|		|
   35: """]]
   36: 
   37: ## Spectre Variant 2
   38: 
   39: [[!table data="""
   40: Port		|Vendor/Model	|Spectre (V2)	|NetBSD-7	|NetBSD-8	|NetBSD-current
   41: amd64		|Intel		|Vulnerable	|Not fixed	|Fixed [MitigD]	|Fixed [MitigB] [MitigD]
   42: amd64		|AMD		|Vulnerable	|Not fixed	|Fixed [MitigD]	|Fixed [MitigC] [MitigD]
   43: amd64		|VIA		|Unknown	|		|		|
   44: i386		|Intel		|Vulnerable	|Not fixed	|Fixed [MitigD]	|Fixed [MitigD]
   45: i386		|AMD		|Vulnerable	|Not fixed	|Fixed [MitigD]	|Fixed [MitigC] [MitigD]
   46: i386		|VIA		|Unknown	|		|		|
   47: 		|MIPS P5600	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   48: 		|MIPS P6600	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   49: 		|MIPS (others)	|Not vulnerable	|		|		|
   50: ia64		|Intel		|Not vulnerable	|		|		|
   51: riscv		|(Spec.)	|Not vulnerable	|		|		|
   52: 		|ARM Cortex-R7	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   53: 		|ARM Cortex-R8	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   54: 		|ARM Cortex-A8	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   55: 		|ARM Cortex-A9	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   56: 		|ARM Cortex-A12	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   57: 		|ARM Cortex-A15	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   58: 		|ARM Cortex-A17	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   59: 		|ARM Cortex-A57	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   60: 		|ARM Cortex-A72	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   61: 		|ARM Cortex-A73	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   62: 		|ARM Cortex-A75	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   63: 		|ARM (others)	|Not vulnerable	|		|		|
   64: """]]
   65: 
   66: ## Meltdown
   67: 
   68: [[!table data="""
   69: Port		|Vendor/Model	|Meltdown (V3)	|NetBSD-7	|NetBSD-8	|NetBSD-current
   70: amd64		|Intel		|Vulnerable	|Not fixed	|Fixed [MitigA]	|Fixed [MitigA]
   71: amd64		|AMD		|Not vulnerable	|		|		|
   72: amd64		|VIA		|Unknown	|		|		|
   73: i386		|Intel		|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   74: i386		|AMD		|Not vulnerable	|		|		|
   75: i386		|VIA		|Unknown	|		|		|
   76: 		|MIPS P5600	|Not vulnerable	|		|		|
   77: 		|MIPS P6600	|Not vulnerable	|		|		|
   78: 		|MIPS (others)	|Not vulnerable	|		|		|
   79: ia64		|Intel		|Not vulnerable	|		|		|
   80: riscv		|(Spec.)	|Not vulnerable	|		|		|
   81: 		|ARM Cortex-R7	|Not vulnerable	|		|		|
   82: 		|ARM Cortex-R8	|Not vulnerable	|		|		|
   83: 		|ARM Cortex-A8	|Not vulnerable	|		|		|
   84: 		|ARM Cortex-A9	|Not vulnerable	|		|		|
   85: 		|ARM Cortex-A12	|Not vulnerable	|		|		|
   86: 		|ARM Cortex-A15	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   87: 		|ARM Cortex-A17	|Not vulnerable	|		|		|
   88: 		|ARM Cortex-A57	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   89: 		|ARM Cortex-A72	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   90: 		|ARM Cortex-A73	|Not vulnerable	|		|		|
   91: 		|ARM Cortex-A75	|Vulnerable	|Not fixed	|Not fixed	|Not fixed
   92: 		|ARM (others)	|Not vulnerable	|		|		|
   93: """]]
   94: 
   95: ## Spectre Variant 3a
   96: 
   97: This issue will be addressed in future microcode updates. No software
   98: change is required.
   99: 
  100: ## Spectre Variant 4
  101: 
  102: [[!table data="""
  103: Port		|Vendor/Model	|Spectre (V4)	|NetBSD-7	|NetBSD-8	|NetBSD-current
  104: amd64		|Intel		|Vulnerable	|Not fixed	|Not fixed	|Fixed [MitigE]
  105: amd64		|AMD		|Unknown	|		|		|
  106: amd64		|VIA		|Unknown	|		|		|
  107: i386		|Intel		|Vulnerable	|Not fixed	|Not fixed	|Fixed [MitigE]
  108: i386		|AMD		|Unknown	|		|		|
  109: i386		|VIA		|Unknown	|		|		|
  110: """]]
  111: 
  112: ## Mitigations
  113: 
  114: ### Mitigation A: SVS
  115: 
  116: Meltdown is mitigated with the SVS feature. It can be dynamically disabled
  117: by changing the "machdep.svs.enabled" sysctl.
  118: 
  119: ### Mitigation B: Intel IBRS
  120: 
  121: SpectreV2 can be mitigated with the IBRS method (Intel only for now). If
  122: the CPU supports this method, it is used automatically. It can be
  123: dynamically disabled by changing the "machdep.spectre_v2.mitigated"
  124: sysctl.
  125: 
  126: ### Mitigation C: AMD DIS_IND
  127: 
  128: SpectreV2 can be mitigated with the DIS_IND method, available only on a
  129: few AMD families. If the CPU supports this method, it is used
  130: automatically. It can be dynamically disabled by changing the
  131: "machdep.spectre_v2.mitigated" sysctl.
  132: 
  133: ### Mitigation D: Retpoline
  134: 
  135: SpectreV2 is mitigated in the kernel with the GCC "retpoline" compilation
  136: flag, which is enabled by default in GENERIC.
  137: 
  138: ### Mitigation E: Intel SSBD
  139: 
  140: SpectreV4 can be mitigated with the SSBD method (Intel only for now). It
  141: can be dynamically enabled by changing the "machdep.spectre_v4.mitigated"
  142: sysctl.
  143: 
  144: ## External Resources
  145: 
  146: * [MIPS Blog Post](https://www.mips.com/blog/mips-response-on-speculative-execution-and-side-channel-vulnerabilities/)
  147: * [ARM Security Update](https://developer.arm.com/support/security-update)
  148: * [RISC-V](https://riscv.org/2018/01/more-secure-world-risc-v-isa/)
  149: 
  150: ## Notes
  151: 
  152: * VIA Technologies did not issue any statement regarding their CPUs. It is not currently known whether they are affected.
  153: 

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb