FreeBSD Patches for Meltdown and Spectre Coming

2
FreeBSD
FreeBSD Logo

The FreeBSD security team posted their update on Meltdown and Spectre and there are a few key items that anyone using FreeBSD should be aware of. It seems as though the FreeBSD team is behind many of the major Linux vendors when it comes to Meltdown patching.

From the security mailing list update:

The FreeBSD Security Team was notified of the issue in late December
and received a briefing under NDA with the original embargo date of
January 9th. Since we received relatively late notice of the issue, our
ability to provide fixes is delayed.

(Source: FreeBSD Security Mailing List)

We suggest that anyone who is running FreeBSD heavy shop read the entire announcement. For others, here are some highlights in bullet form.

FreeBSD Meltdown Fixes

  • As of 08 January 2018, these are not implemented.
  • The target for Project Zero variant 3 (CVE-2017-5754) is expected to go through dev and test in the next two weeks.
  • The first push for this will be into 11.1-Release for amd64. Expect older 10 series FreeBSD lines to be updated later.
  • Patch code will be set to automatically turn on for Intel and off for AMD.

FreeBSD Spectre Fixes

  • These sound like they will be addressed later on as they will require additional analysis and testing.
  • Variant 2 (CVE-2017-5715) impacts bhyve along with normal processes.

Another important note here is that the note says that we are getting CPU microcode changes:

There are CPU microcode fixes coming out when in concert with OS changes
would also help, but that's a bit down the road at the moment.

The bottom line here is that if you are using FreeBSD you are both impacted by Meltdown and Spectre and the fixes will happen sometime in the not too distant future. FreeBSD is popular in embedded devices from NAS storage appliances to firewalls so this is a significant announcement. The other key takeaway is that we are hearing a chorus of folks who have been working on this for a month that the amount of patching required is significant and that there will be future changes coming.

2 COMMENTS

  1. Great summary. It’s times like these that you can feel how much smaller FreeBSD is and how much more dev time/ effort Linux has.

  2. @Jason B: indeed, but the view may be influenced by the fact that Linux/Apple/M$ were warned much more sooner about the issue than FreeBSD (late Dec). For example OpenBSD team was not warned at all, yet, the guys are doing tremendous job on general OS security front and all three Linux/Apple/M$ benefit from OpenBSD’s team work…

LEAVE A REPLY

Please enter your comment!
Please enter your name here