Announcement

Collapse
No announcement yet.

OpenBSD & FreeBSD Are Still Formulating Kernel Plans To Address Meltdown+Spectre

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • OpenBSD & FreeBSD Are Still Formulating Kernel Plans To Address Meltdown+Spectre

    Phoronix: OpenBSD & FreeBSD Are Still Formulating Kernel Plans To Address Meltdown+Spectre

    On Friday DragonFlyBSD's Matthew Dillon already landed his DragonFly kernel fixes for the Meltdown vulnerability affecting Intel CPUs. But what about the other BSDs?..

    http://www.phoronix.com/scan.php?pag...ectre-Response

  • #2
    We have received *no* non-public information. I've seen posts elsewhere by other *BSD people implying that they receive little or no prior warning, so I have no reason to believe this was specific to OpenBSD and/or our philosophy. Personally, I do find it....amusing? that public announcements were moved up after the issue was deduced from development discussions and commits to a different open source OS project. Aren't we all glad that this was under embargo and strongly believe in the future value of embargoes?
    You didn't receive any non-public information in advance because the BSDs have little commercial relevance and Intel tried to keep the number whom they informed about the vulnerability in advance to a minimum to avoid any risk of leakage. I work for one of the large software and our internal security team was informed about the vulnerability as of early November and also received preliminary patches from Intel.

    Comment


    • #3
      Originally posted by monraaf View Post
      You didn't receive any non-public information in advance because the BSDs have little commercial relevance and Intel tried to keep the number whom they informed about the vulnerability in advance to a minimum to avoid any risk of leakage. I work for one of the large software and our internal security team was informed about the vulnerability as of early November and also received preliminary patches from Intel.
      No, OpenBSD does not receive non-public information because Theo de Raadt already said several times he does not sign NDA, and OpenBSD had already not respected an embargo in the past.

      Btw, FreeBSD and OpenBSD are heavily used by ISPs world-wide.
      Last edited by alexcortes; 01-06-2018, 11:05 AM.

      Comment


      • #4
        Originally posted by alexcortes View Post
        Btw, FreeBSD and OpenBSD are heavily used by ISPs world-wide.
        The upstream projects or the downstream derivatives? Because if we talk of production systems I mostly know of commercial derivatives that just add their patches on top and never release the source. And only run in the company's router/firewall/whatever appliance product, of course.

        AFAIK usually the company behind the commercial derivatives signed NDAs with Intel, what happened with the last Atom bug on embedded Atom SoCs used in networking equipment proves it.
        Last edited by starshipeleven; 01-06-2018, 11:20 AM.

        Comment


        • #5
          Originally posted by monraaf View Post
          because the BSDs have little commercial relevance and Intel tried to keep the number whom they informed about the vulnerability in advance to a minimum to avoid any risk of leakage.
          Netflicks runs the majority of FreeBSD servers. Their commercial relevance is pretty damn relevant in the UK

          Comment


          • #6
            Originally posted by alexcortes View Post

            No, OpenBSD does not receive non-public information because Theo de Raadt already said several times he does not sign NDA, and OpenBSD had already not respected an embargo in the past.

            Btw, FreeBSD and OpenBSD are heavily used by ISPs world-wide.
            Is the same info about NDAs relevant for FreeBSD as for OpenBSD?
            This whole thing is absurd in a way; but for BSD users and developers, it must be beyond ridiculous and enfuriating.

            Comment


            • #7
              50+ years old, not just decade or two.
              http://ieeexplore.ieee.org/document/...8/?reload=true

              "We translated Intel's crap attempt to spin it's way out of CPU security bug PR nightmare"
              http://www.theregister.co.uk/2018/01...s_annotations/

              Btw, FreeBSD was made aware of the security nightmare in the second half of December (much later than most other non-publicly informed OS'es). OpenBSD got info from public sources like the rest of us.

              Comment


              • #8
                Originally posted by aht0 View Post
                50+ years old, not just decade or two.
                http://ieeexplore.ieee.org/document/...8/?reload=true
                Neat. An article about exploiting speculatory execution as implemented in an IBM System/360 Model 91, a processor from 1966.

                It's the same general principle of what Spectre vulnerability does. Meltdown is just Intel pushing stuff too far.

                Comment


                • #9
                  Awesome stuff. Thank you aht0

                  Comment

                  Working...
                  X