Netgate SG-1000 microFirewall

Author Topic: An update on Meltdown and Spectre  (Read 2350 times)

0 Members and 1 Guest are viewing this topic.

Offline ivor

  • Administrator
  • Hero Member
  • *****
  • Posts: 733
  • Karma: +154/-135
    • View Profile
    • Netgate
Need help fast? Commercial support: https://www.netgate.com/support/


Offline Darkk

  • Full Member
  • ***
  • Posts: 235
  • Karma: +1/-0
    • View Profile
Re: An update on Meltdown and Spectre
« Reply #2 on: January 23, 2018, 03:13:36 pm »
Sweet!!  Meanwhile the hackers and the NSA are having a party!

I agree it's a mess and hope this will get patched soon.


Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4995
  • Karma: +199/-43
  • Debugging...
    • View Profile
Re: An update on Meltdown and Spectre
« Reply #3 on: January 24, 2018, 01:42:50 pm »
I actually wouldn't apply any of these patches to a pfsense running on hardware.  You risk performance and stability hits and I think pfsense isn't really at risk unless its running as a VM.  I'd only apply these patches to a machine hosting VMs.  I wouldn't even do that right now actually.  I'd wait for the chip makers to get their act together.

Offline jahonix

  • Hero Member
  • *****
  • Posts: 2533
  • Karma: +154/-20
  • volunteer since 2006
    • View Profile
Re: An update on Meltdown and Spectre
« Reply #4 on: January 24, 2018, 02:45:34 pm »
The FreeBSD developers will likely wait a bit before starting the backport of these patches to both FreeBSD 11 and 10. Once these backports are available, snapshots including the fixes will only be available for pfSense® 2.4.x and amd64 architecture.
Again, why is that?
Chris

The issue with IPv6 jokes is that almost no one understands them and no one is using them yet.

Offline Patrick_

  • Full Member
  • ***
  • Posts: 175
  • Karma: +1/-0
    • View Profile
    • LiquidObject
Re: An update on Meltdown and Spectre
« Reply #5 on: January 25, 2018, 07:51:35 pm »
The FreeBSD developers will likely wait a bit before starting the backport of these patches to both FreeBSD 11 and 10. Once these backports are available, snapshots including the fixes will only be available for pfSense® 2.4.x and amd64 architecture.
Again, why is that?

First revision of patches from Intel were buggy and causing all sorts of fun. Once they have a stable fix that they are more or less happy with then the back-porting will start likely.
--------------------------------------------------------------------------------------
pfSense Documentation Wiki
Need Commercial Support?
Personal Blog

Offline chrcoluk

  • Sr. Member
  • ****
  • Posts: 407
  • Karma: +22/-50
    • View Profile
Re: An update on Meltdown and Spectre
« Reply #6 on: January 25, 2018, 07:57:24 pm »
The sane thing to do is hold station I reckon

A good security approach is always layered means you never need to rely on one particular mitigation, and mitigation's which are unstable or bad performing can then be skipped over.

These mitigation's are not desirable with the performance and stability impacts been reported.
pfSense 2.4
Qotom Q355G4 or Braswell N3150 with Jetway mini pcie 2x intel i350 lan - 4 gig Kingston 1333 C11 DDR3L
 - 60 gig kingston ssdnow ssd - ISP Sky UK

Offline jahonix

  • Hero Member
  • *****
  • Posts: 2533
  • Karma: +154/-20
  • volunteer since 2006
    • View Profile
Re: An update on Meltdown and Spectre
« Reply #7 on: January 25, 2018, 08:18:25 pm »
First revision of patches from Intel were buggy ...
You didn't get it: why are patches not rolled out to the 2.3.x branch when available?
Having security fixes applied to that branch until roughly end of 2018 was promised when support for 32-bit hardware ceased with the 2.4 branch.

Sure I know the answer, I just want someone to officially reveal it.
Chris

The issue with IPv6 jokes is that almost no one understands them and no one is using them yet.

Offline ivor

  • Administrator
  • Hero Member
  • *****
  • Posts: 733
  • Karma: +154/-135
    • View Profile
    • Netgate
Re: An update on Meltdown and Spectre
« Reply #8 on: January 26, 2018, 02:24:17 am »
Are you repeating the question I already answered to you on a different thread? We can’t implement fixes we don’t have. We will have 64-bit fixes for pfSense 2.4.x but we don’t have anything yet for i386 and it's unclear when or if fixes will be available. You don't seem to understand the magnitude of these vulnerabilities.

Sure I know the answer, I just want someone to officially reveal it.

I am interested in learning what do you think the answer is.
Need help fast? Commercial support: https://www.netgate.com/support/

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4995
  • Karma: +199/-43
  • Debugging...
    • View Profile
Re: An update on Meltdown and Spectre
« Reply #9 on: January 26, 2018, 05:57:33 am »
Reading up a little I found this quote:

"While 32-bit Linux users may be able to leverage grsecurity patches, x86 Windows users are currently left out in the cold since mitigating this issue on 32-bit systems is even more complex and costly, potentially eliminating the risk/benefit ratio."

To me it sounds like it can be done and it is being done by some but perhaps some of the OS makers are thinking if it is worth doing or not.  I'd bet on BSD patching 32 bit OS.


Offline jahonix

  • Hero Member
  • *****
  • Posts: 2533
  • Karma: +154/-20
  • volunteer since 2006
    • View Profile
Re: An update on Meltdown and Spectre
« Reply #10 on: January 26, 2018, 10:47:00 am »
... I already answered to you on a different thread...
We had this discussion earlier and you never gave an answer why the official announcement definitely says: "2.4.x branch and AMD64 only"
It does NOT say: "2.4.x branch and AMD64 shortly, 2.3.x and 32-bit later when/if a fix is available"

FreeBSD will backport the patches to FreeBSD 11 and 10 branches meaning they will be available sooner or later. According to JWT's announcement the last 32-bit pfSense 2.3.x will not get them, regardless of availability.

You don't seem to understand the magnitude of these vulnerabilities.
Making uneducated assumptions never helps but roughens the sound of a conversation.
I never affronted you personally, did I? As a netgate employee and an administrator of this forum you shouldn't either.

I am interested in learning what do you think the answer is.
I will not forestall project lead.
Chris

The issue with IPv6 jokes is that almost no one understands them and no one is using them yet.

Offline ivor

  • Administrator
  • Hero Member
  • *****
  • Posts: 733
  • Karma: +154/-135
    • View Profile
    • Netgate
Re: An update on Meltdown and Spectre
« Reply #11 on: January 26, 2018, 01:48:03 pm »
For the last time: we cannot make a statement on something we don't have enough info about. We cannot implement fixes we do not have.

We had this discussion earlier and you never gave an answer why the official announcement definitely says: "2.4.x branch and AMD64 only"
It does NOT say: "2.4.x branch and AMD64 shortly, 2.3.x and 32-bit later when/if a fix is available"

You're pulling that single line out of context to prove what ever you are attempting to prove. Blog post talks about variant 3, based on information we had at the time. I really don't understand where you're going with this. Did you read the discussion about this?

FreeBSD will backport the patches to FreeBSD 11 and 10 branches meaning they will be available sooner or later. According to JWT's announcement the last 32-bit pfSense 2.3.x will not get them, regardless of availability.

Actually, chances are it won't be backported by FreeBSD. But i we don't know yet.

Making uneducated assumptions never helps but roughens the sound of a conversation.
I never affronted you personally, did I? As a netgate employee and an administrator of this forum you shouldn't either.

No, you really do not understand how troublesome these issues are. I didn't offend you but you sure did engage in twisting my words and nitpicking to prove what ever you are attempting to prove.

I will not forestall project lead.

Fine, but please leave speculation out of this forum. We will do what we promised if possible. We can't implement fixes we don't have.
Need help fast? Commercial support: https://www.netgate.com/support/

Offline Michel-angelo

  • Jr. Member
  • **
  • Posts: 37
  • Karma: +0/-0
    • View Profile
Re: An update on Meltdown and Spectre
« Reply #12 on: February 01, 2018, 05:16:45 am »
Kejianshi reply #3 above (24 Jan) is enough to give me the comfort I seek from this forum.

I believe nobody is allowed access to my device : webGUI, console, SSH, physical, other. All closed. Thanks kejianshi.

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4995
  • Karma: +199/-43
  • Debugging...
    • View Profile
Re: An update on Meltdown and Spectre
« Reply #13 on: February 01, 2018, 06:37:18 am »
No problem.  Glad you aren't panicked. 

Offline guardian

  • Full Member
  • ***
  • Posts: 264
  • Karma: +8/-0
    • View Profile
Re: An update on Meltdown and Spectre
« Reply #14 on: February 22, 2018, 12:12:09 am »
Any timeline for when a patch may be coming out?