BT

NetBSD 8.0 Brings Spectre V2/V4, Meltdown, and Lazy FPU Mitigations, and More

| by Sergio De Simone Follow 14 Followers on Jul 24, 2018. Estimated reading time: 1 minute |

NetBSD 8.0, a major release of the BSD-based OS providing portability across many architectures, brings mitigations for the Spectre V2/V4, Meltdown, and Lazy FPU vulnerabilities, along with many new features and bug fixes.

NetBSD implements Meltdown mitigation through separate virtual spaces (SVS), which unmap kernel pages when running in user-space. This is enabled by defaults for all vulnerable CPUs and can be disabled manually running.

# sysctl -w machdep.svs.enabled=0

Disabling SVS can be desirable when security requirements are not so strict and you prefer maximixing performance.

Spectre V2 can be tackled using a set of mitigations, both in hardware and in software:

  • Intel IRBS: this is enabled if the underlying CPU is detected to support it. You can disable it running

    # machdep.spectre_v2.hwmitigated = 0
  • AMD DIS_IND: this is an hardware mitigations for AMD CPUs. It can be disabled by unsetting the hwmitigation option as shown above

  • Software mitigation (retpoline) for all other vulnerable CPUs. This can be disabled running

    # machdep.spectre_v2.swmitigated = 0

For Spectre V4, NetBSD 8 provides two main mitigations, Intel SSBD and AMD MONARCH, which can be disabled running machdep.spectre_v4.mitigated = 0.

Lazy FPU is mitigated making the FPU “eager”, that is forcing it to clean its registers on a process swap. It is interesting to note that the approach taken by NetBSD 8, i.e., enabling FPU eager behaviour only for vulnerable FPUs, differs from Linux’s, where the eagerfpu=on kernel boot argument will affect all FPUs, whether they are vulnerable or not.

According to the NetBSD team, all these migrations will not be backported to older release branches.

We urge all users to try to update to NetBSD 8.0 as soon as possible, and avoid running older NetBSD releases unless a local security expert has analyzed the setup.

Other features of NetBSD 8 are support for USB 3.0, in-kernel audio mixer, supervisor mode access prevention, reproducible builds, which guarantee the same builds results from the same source tree, full userland debug information, and many more. Read the full details in the official release notes.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT