Details

Reviewers

olce
kib
gbe

Group Reviewers

secteam
manpages

Commits

rG8977587e89cb: Add mitigations(7) describing our vulnerability mitigations
rG272bc4597d0b: Add mitigations(7) describing our vulnerability mitigations
rGb6a61ac2d475: Add mitigations(7) describing our vulnerability mitigations

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

fill in placeholder

Lots to add still, including hw mitigations

machdep.mitigations.rngds.state: Not applicable
machdep.mitigations.rngds.enable: 1
machdep.mitigations.flush_rsb_ctxsw: 1
machdep.mitigations.taa.state: TSX not present
machdep.mitigations.taa.enable: 0
machdep.mitigations.mds.disable: 0
machdep.mitigations.mds.state: inactive
machdep.mitigations.ssb.disable: 0
machdep.mitigations.ssb.active: 0
machdep.mitigations.ibrs.disable: 1
machdep.mitigations.ibrs.active: 0

PROT_MAX

compile-time options (PIE, RELRO, BIND_NOW)

SMEP/SMAP/PAN/PXN

Flesh out list and add some .Xrs

lwhsu added a subscriber: lwhsu.Sep 9 2023, 10:34 AM

connect to build, add .Xr from security, expand on more mitigations

emaste mentioned this in D41817: x86: AMD Zen2: Zenbleed chicken bit mitigation.Sep 13 2023, 8:46 AM

olce added a subscriber: olce.Sep 15 2023, 10:09 PM

Here is a diff below containing a whole new part on hardware mitigations, with a general introduction and a specific section for Zenbleed.

Please tell me if you find it too detailed or not at the right level of language.

I'm attaching the diff here since I can't update this differential revision. I could create another one if you prefer. I'm unsure which collaborative workflow is best for large edits from multiple people.

Thanks.

{F67700098}

gbe added a subscriber: gbe.Sep 16 2023, 6:35 AM

Phab is just showing {F67700098} not the diff you attached.

In any case you're right, phab is not great for collaborative editing. I can either incorporate your text if you want to just mail it or paste it in a comment and add a Co-authored-by: tag, or we can commit an interim version of this page (without connecting it to the build at first) and iterate on it in the tree.

In D41794#954656, @emaste wrote:

Phab is just showing {F67700098} not the diff you attached.

Ah, sorry about that. I had had the same issue yesterday when viewing the page while not being logged, but after logging I could see the name of the file and a download button, so I assumed it would be OK when you're logged. But since you commented (logged), something else is probably going on.

In any case you're right, phab is not great for collaborative editing. I can either incorporate your text if you want to just mail it or paste it in a comment and add a Co-authored-by: tag, or we can commit an interim version of this page (without connecting it to the build at first) and iterate on it in the tree.

Sending it to you by mail for now (only the plain mitigations.7, which is a drop-in replacement). Iterating in the tree would be OK as well (once I can actually do that).

Add Zenbleed info from @olce.freebsd_certner.fr

Herald added a subscriber: jonathan. · View Herald TranscriptSep 19 2023, 7:45 PM

(Zenbleed patch in D41817)

lots of mentions of "FreeBSD" in the text. Should we replace that with .Fx?

Use .Fx instead of FreeBSD

update authors and date

minor edits found in self-review

emaste added reviewers: kib, manpages.Oct 2 2023, 8:14 PM

LGTM from manpages , it would be great to have this included for 14.0-RELEASE.

This revision is now accepted and ready to land.Oct 4 2023, 8:28 AM

kib added inline comments.Oct 4 2023, 8:57 PM

share/man/man7/mitigations.7
98	New sentence new line
106	It sounds too positive to me.
120	Perhaps explain what is different between PIE and 'older' binaries WRT ASLR.
146	Note that ASLR mode change for process become effective on address space change, ie. on execve(2).
163	NSNL
165	May be explain that typical victim are JIT-like programs, and that under w^x mode they need to be modified to write executable data, then change the page mode with mprotect(2).
195	Missed explanation?
209
213	Needs to explain that ABI is broken.
217	What does this title do there?
245	Sometimes sw mitigations depends on hw capabilities presented by microcode updates.
312	NSNL
343	.Xr cpucontrol 8 both for direct MSR manipulations and ucode update

emaste marked 5 inline comments as done.Oct 4 2023, 10:54 PM

emaste added inline comments.

share/man/man7/mitigations.7
106	I can just delete the 2nd sentence.

kib added inline comments.Oct 4 2023, 11:23 PM

share/man/man7/mitigations.7
106	You might state s/defense/claims to improve protection/ or similar.

some feedback from kib

This revision now requires review to proceed.Oct 4 2023, 11:58 PM

Found a few typos.

share/man/man7/mitigations.7
176	s/excutable/executable/
178	s/excutable/executable/
234	s/have seeing/have seen/ Or simplify this as it's not the years that have "seen" things. Maybe start the sentence with "A growing number of new hardware vulnerabilities..."