The FreeBSD security team posted their update on Meltdown and Spectre and there are a few key items that anyone using FreeBSD should be aware of. It seems as though the FreeBSD team is behind many of the major Linux vendors when it comes to Meltdown patching.
From the security mailing list update:
The FreeBSD Security Team was notified of the issue in late December and received a briefing under NDA with the original embargo date of January 9th. Since we received relatively late notice of the issue, our ability to provide fixes is delayed.
(Source: FreeBSD Security Mailing List)
We suggest that anyone who is running FreeBSD heavy shop read the entire announcement. For others, here are some highlights in bullet form.
FreeBSD Meltdown Fixes
- As of 08 January 2018, these are not implemented.
- The target for Project Zero variant 3 (CVE-2017-5754) is expected to go through dev and test in the next two weeks.
- The first push for this will be into 11.1-Release for amd64. Expect older 10 series FreeBSD lines to be updated later.
- Patch code will be set to automatically turn on for Intel and off for AMD.
FreeBSD Spectre Fixes
- These sound like they will be addressed later on as they will require additional analysis and testing.
- Variant 2 (CVE-2017-5715) impacts bhyve along with normal processes.
Another important note here is that the note says that we are getting CPU microcode changes:
There are CPU microcode fixes coming out when in concert with OS changes would also help, but that's a bit down the road at the moment.
The bottom line here is that if you are using FreeBSD you are both impacted by Meltdown and Spectre and the fixes will happen sometime in the not too distant future. FreeBSD is popular in embedded devices from NAS storage appliances to firewalls so this is a significant announcement. The other key takeaway is that we are hearing a chorus of folks who have been working on this for a month that the amount of patching required is significant and that there will be future changes coming.