I build a new personal "home" server every ten years or so.
Since the system is going to run for a decade, I try to put a lot of thought into the hardware and OS configuration, etc.
This time it is a lot more complicated - in 2010 I was not worrying about out of band / LOM / IPMI - other than simply disabling it in the BIOS and forgetting about it. I was also not worrying about security issues related to speculative branching and caching (spectre/meltdown/zombieload).
I considered simply buying and running a pre-2008 CPU - such as an Intel core2duo - with no management engine and presumably no exposure to meltdown/spectre but there are a number of headaches involved in either the initial procurement or the day to day operation of the system ...
My use-case is a single user (me) FreeBSD system with a few server daemons (mail, www, sshd, wiki) each running in their own jail. There will be no untrusted users that log onto the system but there will be untrusted users connecting to the server daemons and untrusted connections coming in from everywhere - which is to say, it will be on the Internet.
My list of worries, from most concerned to least concerned are: Intel management engine, Spectre, Meltdown and (other speculative branch issues) and side channel attacks like ZombieLoad.
My questions:
Assuming I purchase a current Intel processor in 2019 and use a RELEASE version of either FreeBSD 11.x or 12.x, what best practices may I follow to minimize, or mitigate entirely, these issues ?
Given that this is *not* a multi-user system (there are no other users besides myself and Internet clients connecting to the daemons) how much exposure is there to spectre/meltdown/zombieload ?
Thank you.
Since the system is going to run for a decade, I try to put a lot of thought into the hardware and OS configuration, etc.
This time it is a lot more complicated - in 2010 I was not worrying about out of band / LOM / IPMI - other than simply disabling it in the BIOS and forgetting about it. I was also not worrying about security issues related to speculative branching and caching (spectre/meltdown/zombieload).
I considered simply buying and running a pre-2008 CPU - such as an Intel core2duo - with no management engine and presumably no exposure to meltdown/spectre but there are a number of headaches involved in either the initial procurement or the day to day operation of the system ...
My use-case is a single user (me) FreeBSD system with a few server daemons (mail, www, sshd, wiki) each running in their own jail. There will be no untrusted users that log onto the system but there will be untrusted users connecting to the server daemons and untrusted connections coming in from everywhere - which is to say, it will be on the Internet.
My list of worries, from most concerned to least concerned are: Intel management engine, Spectre, Meltdown and (other speculative branch issues) and side channel attacks like ZombieLoad.
My questions:
Assuming I purchase a current Intel processor in 2019 and use a RELEASE version of either FreeBSD 11.x or 12.x, what best practices may I follow to minimize, or mitigate entirely, these issues ?
Given that this is *not* a multi-user system (there are no other users besides myself and Internet clients connecting to the daemons) how much exposure is there to spectre/meltdown/zombieload ?
Thank you.