Netgate SG-1000 microFirewall

Author Topic: pfSense 2.4.3 snapshots with Kernel PTI mitigations available for testing!  (Read 985 times)

0 Members and 1 Guest are viewing this topic.

Offline ivor

  • Administrator
  • Hero Member
  • *****
  • Posts: 813
  • Karma: +164/-138
    • View Profile
    • Netgate
pfSense version 2.4.3 snapshots with Kernel PTI mitigations for #Meltdown are now available for download. We would love to hear about performance results from you! We have exposed the kernel option to enable / disable same.

https://www.pfsense.org/snapshots/
Need help fast? Commercial support: https://www.netgate.com/support/

Offline PiBa

  • Hero Member
  • *****
  • Posts: 873
  • Karma: +140/-1
  • PiBa-NL(on IRC)
    • View Profile
Re: pfSense 2.4.3 snapshots with Kernel PTI mitigations available for testing!
« Reply #1 on: February 24, 2018, 08:25:33 am »
For my testbox it always shows as disabled on the dashboard.. (and the sysctl vm.pmap.pti is always 0).
Code: [Select]
System Information   
Version 2.4.3-DEVELOPMENT (amd64)
built on Fri Feb 23 13:50:19 CST 2018
FreeBSD 11.1-RELEASE-p6

The system is on the latest version.
Version information updated at Sat Feb 24 14:59:14 CET 2018  
Kernel PTI Disabled
While the loader.conf does not contain vm.pmap.pti="0" at that time.


After enabling/disabling the option in gui misc settings a few times my loader.conf looks like this.. (4x the pti option..):
Code: [Select]
kern.cam.boot_delay=10000
kern.geom.label.disk_ident.enable="0"
kern.geom.label.gptid.enable="0"
vfs.zfs.min_auto_ashift=12
zfs_load="YES"
vm.pmap.pti="0"
vm.pmap.pti="0"
vm.pmap.pti="0"
autoboot_delay="3"
hw.usb.no_pf="1"
vm.pmap.pti="0"

Think it needs a bit more work.?.

Offline ivor

  • Administrator
  • Hero Member
  • *****
  • Posts: 813
  • Karma: +164/-138
    • View Profile
    • Netgate
Re: pfSense 2.4.3 snapshots with Kernel PTI mitigations available for testing!
« Reply #2 on: February 24, 2018, 09:56:34 am »
Did you reboot after making changes? We'll add that to description in the next snaps.
Need help fast? Commercial support: https://www.netgate.com/support/

Offline PiBa

  • Hero Member
  • *****
  • Posts: 873
  • Karma: +140/-1
  • PiBa-NL(on IRC)
    • View Profile
Re: pfSense 2.4.3 snapshots with Kernel PTI mitigations available for testing!
« Reply #3 on: February 24, 2018, 12:39:42 pm »
Yes rebooted several times..

It seems to be disabled by default in the kernel, and 'forcefully' disabled by the setting in loader.conf when disabled through the gui. Which is never removed by the gui again..
I changed the loader.conf manually to have vm.pmap.pti="1" rebooted and then dashboard will say "Enabled".

As for actual effects of the setting, i have not tried any performance testing, or seen any problems sofar myself.

Offline bfeitell

  • Jr. Member
  • **
  • Posts: 67
  • Karma: +8/-0
  • I like pfSense. It mostly rocks.
    • View Profile
Re: pfSense 2.4.3 snapshots with Kernel PTI mitigations available for testing!
« Reply #4 on: February 24, 2018, 01:14:26 pm »
It might be helpful to know whether you are running AMD or Intel in your test box.  I have not read through the development threads for the page table isolation code under FreeBSD, but under Linux the code includes CPU detection.  In Linux, the PTI code is activated automatically only on Intel hardware to mitigate Meltdown.  AMD processors are not susceptible to Meltdown, but PTI may be forced anyway with kernel boot parameters.  I wonder if you are experiencing something similar here.

Offline PiBa

  • Hero Member
  • *****
  • Posts: 873
  • Karma: +140/-1
  • PiBa-NL(on IRC)
    • View Profile
Re: pfSense 2.4.3 snapshots with Kernel PTI mitigations available for testing!
« Reply #5 on: February 24, 2018, 02:03:19 pm »
Ah that could explain why its disabled by default from the kernel indeed.. Testbox uses this AMD cpu:
Code: [Select]
CPU Type AMD Phenom(tm) 9850 Quad-Core Processor
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: No

Still leaves the strange loader.conf behavior thought where the vm.pmap.pti="0" setting gets added multiple times upon rebooting..

Offline ivor

  • Administrator
  • Hero Member
  • *****
  • Posts: 813
  • Karma: +164/-138
    • View Profile
    • Netgate
Re: pfSense 2.4.3 snapshots with Kernel PTI mitigations available for testing!
« Reply #6 on: February 24, 2018, 03:23:50 pm »
Quote
GPZ Variant 3 (Rogue Data Cache Load or Meltdown) is not applicable to AMD processors.

We believe AMD processors are not susceptible due to our use of privilege level protections within paging architecture and no mitigation is required.

From https://www.amd.com/en/corporate/speculative-execution

As bfeitell notices, it's not automatic on AMD but it's also not necessary either. We will fix a few more details. Thanks for your feedback PiBa and bfeitell!
Need help fast? Commercial support: https://www.netgate.com/support/

Offline loos

  • Global Moderator
  • Newbie
  • *****
  • Posts: 18
  • Karma: +9/-0
    • View Profile
Re: pfSense 2.4.3 snapshots with Kernel PTI mitigations available for testing!
« Reply #7 on: February 24, 2018, 03:38:18 pm »
Still leaves the strange loader.conf behavior thought where the vm.pmap.pti="0" setting gets added multiple times upon rebooting..

This is fixed now PiBa, thanks.