Remember spectre and meltdown?

[elephant]

I ran the spectre-meltdown-checker script from ports.

FreshPorts -- security/spectre-meltdown-checker: Checks your system for the speculative execution CVEs

A shell script to tell if your system is vulnerable against the several "speculative execution" CVEs that were made public since 2018. * CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1' * CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2' * CVE-2017-5754 [rogue data...

www.freshports.org

I have the latest microcode installed. The script warns of multiple vulnerabilities but doesn't give much guidance on how to fix them.

Here's an example:

CVE-2018-3639 aka 'Variant 4, speculative store bypass'
* Kernel supports speculation store bypass: YES
* Speculation store bypass is administratively enabled: NO (disabled)
* Speculation store bypass is currently active: NO
> STATUS: VULNERABLE (you need to enable SSBD through sysctl to mitigate the vulnerability)

It would be nice if it stated the exact sysctl. One online source says it's kern.ssbd but sysctl tells me I do not have that as an option.

Edit: mdo sysctl machdep.mitigations.ssb.disable=1

Here's another:

CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
* Kernel supports L1D flushing: YES
* L1D flushing is enabled: NO
> STATUS: VULNERABLE (L1D flushing is supported by your kernel but is disabled)

I found these two sysctls but no idea if either apply:
machdep.syscall_ret_flush_l1d: 0
machdep.nmi_flush_l1d_sw: 0

This mdo sysctl hw.ibrs_disable=0 made the script happy for CVE-2017-5715.

CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
* Mitigation 1
* Kernel supports IBRS: YES
* IBRS enabled and active: YES
* Mitigation 2
* Kernel compiled with RETPOLINE: NO
> STATUS: NOT VULNERABLE (IBRS mitigates the vulnerability)

 

[fernandel]

Is better to put in /boot/loader.conf or in /etc/sysctl.conf, please?
I have in /boot/loader.conf
hw.ibrs_disabled=0
machdep.mitigations.tea.enabled=3

Thank you.

 

[elephant]

The note from the port at the time of installing the package instructed me to put those two lines into /boot/loader.conf. I'm guessing loader.conf is processed before sysctl.conf which is probably what you want.