Any ETA for implementing a fix for Meltdown?

[Shiroi Kage]

Are there any plans to implement the fix, and what are the projected performance trade-offs? Does anyone know if OpenBSD is planning a fix in the near future? It feels like this bug makes drive encryption vulnerably as soon as we enter the password.

 

[Jailer]

It has to be fixed in upstream FreeBSD before a patch can be rolled out to FreeNAS.

 

[Shiroi Kage]

It has to be fixed in upstream FreeBSD before a patch can be rolled out to FreeNAS.

So if I'm not misunderstanding anything, upstream FreeBSD is just FreeBSD, right? Are they addressing this right now? The only thing I could find was this forum post where people are talking about it as it gets announced and whatnot. Apple seems to have fixed this back in December, Linux rolled it out today (?), and Windows is coming Tuesday. Hope FreeBSD is going to roll a fix out soon.

 

[rs225]

Hope FreeBSD is going to roll a fix out soon.

Assume the opposite, and act accordingly.
https://www.freebsd.org/news/newsflash.html#event20180104:01

 

[danb35]

We're working with CPU vendors and the published papers on these attacks to mitigate them on FreeBSD. Due to the fundamental nature of the attacks, no estimate is yet available for the publication date of patches.

It's interesting that other vendors not only have an ETA, but in fact have code out the door. That doesn't make FreeBSD look good.

 

[rs225]

I think the issue is that BSDs didn't make the cut for early notification. It is arguably the Linux notification that led to the story coming out a week early. So FreeBSD is starting at a multi-month disadvantage.

I would not want to be somebody with a business that depended on BSD for running outside code right now. Unless you also made the choice to run all AMD, you'd be in deep stuff.

The only hope is that Intel isn't blowing smoke about their updates. Perhaps they have found a way to microcode update that foils the attack; fixing it is obviously impossible.

 

[nightshade00013]

Even with FreeBSD being at a disadvantage there are no known exploits in the wild yet and even if there do happen to be some you have to allow someone else to put data into execution on your system. To add to that the only data they will be able to get hold of is very small pieces. It's not like they can do a ram dump on your system and gain access to every little bit that is there.

The problem will come in when you have your system provisioned to handle workloads from multiple people who can run processes on that system. This is much more of an issue for shared hosting providers. And while it can affect desktop computers through the web browser the small random bits of data will not be worth a whole lot unless the exploiter hits the lottery on your system. The biggest issues will be that to fix the issue a lot of systems will suffer performance hits and this will likely be especially hard on databases with large numbers of transactions happening all the time.

The people who need to be worried right now are the ones using cloud services to hold TONS of sensitive data. And the major cloud services are already patched against the exploits.

https://news.vice.com/en_us/article/ne434m/spectre-meltdown-bugs-chips-attack

SHOULD I BE WORRIED?
Yes and no.

Security researchers think it is unlikely that attackers will use these flaws to target individual computers, given the cost would outweigh the likely gain.

However, attackers could target services hosted on shared servers, such as Amazon and Google’s cloud services.

 

[Revan]

There are some news about Meltdown and Spectre from the FreeBSD developers:
https://lists.freebsd.org/pipermail/freebsd-security/2018-January/009719.html


BTW, if this is some kind of collecting thread about all Spectre and Meltdown topics, like all the other closed threads about this topic suspect, then i would recommend to edit the title of this thread into "Spectre and Meltdown".

 

[rs225]

Even with FreeBSD being at a disadvantage there are no known exploits in the wild yet and even if there do happen to be some you have to allow someone else to put data into execution on your system. To add to that the only data they will be able to get hold of is very small pieces. It's not like they can do a ram dump on your system and gain access to every little bit that is there.

I don't think this is entirely correct. The reason for the early announcement was that somebody posted working code(or screenshot of results) on Linux that read a particular value in the kernel. So it is not random, you can 'find your bearings' so to speak. And it may be low rate, but CPUs have plenty of cycles.

The correct part is that the code has to be executed on your system.

They haven't been altering OS kernels for the past few months for nothing. Until last week, the idea of Microsoft making dramatic changes to the kernel in a security update, without forewarning developers, would have been crazy talk.

 

[Ericloewe]

Let's stick with the other thread, since it's longer. I'm going to close this one.

https://forums.freenas.org/index.php?threads/intel-is-well-and-thoroughly-screwed.60331/