pfSense Forum

Administrative => Messages from the pfSense Team => Topic started by: ivor on January 08, 2018, 05:59:14 pm

Title: An update on Meltdown and Spectre
Post by: ivor on January 08, 2018, 05:59:14 pm
https://www.netgate.com/blog/an-update-on-meltdown-and-spectre.html
Title: Re: An update on Meltdown and Spectre
Post by: kejianshi on January 23, 2018, 03:29:50 am
https://www.theverge.com/2018/1/22/16919426/intel-advises-pause-deployment-of-spectre-patch

https://techcrunch.com/2018/01/22/linus-torvalds-declares-intel-fix-for-meltdown-spectre-complete-and-utter-garbage/

https://gizmodo.com/intel-is-trying-to-fix-the-biggest-problem-with-its-spe-1822305604

All fixed!  (AMD patches are pretty broken as well)
Title: Re: An update on Meltdown and Spectre
Post by: Darkk on January 23, 2018, 03:13:36 pm
Sweet!!  Meanwhile the hackers and the NSA are having a party!

I agree it's a mess and hope this will get patched soon.

Title: Re: An update on Meltdown and Spectre
Post by: kejianshi on January 24, 2018, 01:42:50 pm
I actually wouldn't apply any of these patches to a pfsense running on hardware.  You risk performance and stability hits and I think pfsense isn't really at risk unless its running as a VM.  I'd only apply these patches to a machine hosting VMs.  I wouldn't even do that right now actually.  I'd wait for the chip makers to get their act together.
Title: Re: An update on Meltdown and Spectre
Post by: jahonix on January 24, 2018, 02:45:34 pm
Quote from: https://www.netgate.com/blog/an-update-on-meltdown-and-spectre.html
The FreeBSD developers will likely wait a bit before starting the backport of these patches to both FreeBSD 11 and 10. Once these backports are available, snapshots including the fixes will only be available for pfSense® 2.4.x and amd64 architecture.
Again, why is that?
Title: Re: An update on Meltdown and Spectre
Post by: Patrick_ on January 25, 2018, 07:51:35 pm
Quote from: https://www.netgate.com/blog/an-update-on-meltdown-and-spectre.html
The FreeBSD developers will likely wait a bit before starting the backport of these patches to both FreeBSD 11 and 10. Once these backports are available, snapshots including the fixes will only be available for pfSense® 2.4.x and amd64 architecture.
Again, why is that?

First revision of patches from Intel were buggy and causing all sorts of fun. Once they have a stable fix that they are more or less happy with then the back-porting will start likely.
Title: Re: An update on Meltdown and Spectre
Post by: chrcoluk on January 25, 2018, 07:57:24 pm
The sane thing to do is hold station I reckon

A good security approach is always layered means you never need to rely on one particular mitigation, and mitigation's which are unstable or bad performing can then be skipped over.

These mitigation's are not desirable with the performance and stability impacts been reported.
Title: Re: An update on Meltdown and Spectre
Post by: jahonix on January 25, 2018, 08:18:25 pm
First revision of patches from Intel were buggy ...
You didn't get it: why are patches not rolled out to the 2.3.x branch when available?
Having security fixes applied to that branch until roughly end of 2018 was promised when support for 32-bit hardware ceased with the 2.4 branch.

Sure I know the answer, I just want someone to officially reveal it.
Title: Re: An update on Meltdown and Spectre
Post by: ivor on January 26, 2018, 02:24:17 am
Are you repeating the question I already answered to you on a different thread? We can’t implement fixes we don’t have. We will have 64-bit fixes for pfSense 2.4.x but we don’t have anything yet for i386 and it's unclear when or if fixes will be available. You don't seem to understand the magnitude of these vulnerabilities.

Sure I know the answer, I just want someone to officially reveal it.

I am interested in learning what do you think the answer is.
Title: Re: An update on Meltdown and Spectre
Post by: kejianshi on January 26, 2018, 05:57:33 am
Reading up a little I found this quote:

"While 32-bit Linux users may be able to leverage grsecurity patches, x86 Windows users are currently left out in the cold since mitigating this issue on 32-bit systems is even more complex and costly, potentially eliminating the risk/benefit ratio."

To me it sounds like it can be done and it is being done by some but perhaps some of the OS makers are thinking if it is worth doing or not.  I'd bet on BSD patching 32 bit OS.

Title: Re: An update on Meltdown and Spectre
Post by: jahonix on January 26, 2018, 10:47:00 am
... I already answered to you on a different thread...
We had this discussion earlier and you never gave an answer why the official announcement definitely says: "2.4.x branch and AMD64 only"
It does NOT say: "2.4.x branch and AMD64 shortly, 2.3.x and 32-bit later when/if a fix is available"

FreeBSD will backport the patches to FreeBSD 11 and 10 branches meaning they will be available sooner or later. According to JWT's announcement the last 32-bit pfSense 2.3.x will not get them, regardless of availability.

You don't seem to understand the magnitude of these vulnerabilities.
Making uneducated assumptions never helps but roughens the sound of a conversation.
I never affronted you personally, did I? As a netgate employee and an administrator of this forum you shouldn't either.

I am interested in learning what do you think the answer is.
I will not forestall project lead.
Title: Re: An update on Meltdown and Spectre
Post by: ivor on January 26, 2018, 01:48:03 pm
For the last time: we cannot make a statement on something we don't have enough info about. We cannot implement fixes we do not have.

We had this discussion earlier and you never gave an answer why the official announcement definitely says: "2.4.x branch and AMD64 only"
It does NOT say: "2.4.x branch and AMD64 shortly, 2.3.x and 32-bit later when/if a fix is available"

You're pulling that single line out of context to prove what ever you are attempting to prove. Blog post talks about variant 3, based on information we had at the time. I really don't understand where you're going with this. Did you read the discussion about this?

FreeBSD will backport the patches to FreeBSD 11 and 10 branches meaning they will be available sooner or later. According to JWT's announcement the last 32-bit pfSense 2.3.x will not get them, regardless of availability.

Actually, chances are it won't be backported by FreeBSD. But i we don't know yet.

Making uneducated assumptions never helps but roughens the sound of a conversation.
I never affronted you personally, did I? As a netgate employee and an administrator of this forum you shouldn't either.

No, you really do not understand how troublesome these issues are. I didn't offend you but you sure did engage in twisting my words and nitpicking to prove what ever you are attempting to prove.

I will not forestall project lead.

Fine, but please leave speculation out of this forum. We will do what we promised if possible. We can't implement fixes we don't have.
Title: Re: An update on Meltdown and Spectre
Post by: Michel-angelo on February 01, 2018, 05:16:45 am
Kejianshi reply #3 above (24 Jan) is enough to give me the comfort I seek from this forum.

I believe nobody is allowed access to my device : webGUI, console, SSH, physical, other. All closed. Thanks kejianshi.
Title: Re: An update on Meltdown and Spectre
Post by: kejianshi on February 01, 2018, 06:37:18 am
No problem.  Glad you aren't panicked. 
Title: Re: An update on Meltdown and Spectre
Post by: guardian on February 22, 2018, 12:12:09 am
Any timeline for when a patch may be coming out?
Title: Re: An update on Meltdown and Spectre
Post by: ivor on February 22, 2018, 04:10:00 am
Follow our Twitter account for progress updates. This is from yesterday https://twitter.com/pfsense/status/966385843568078848