I wasn’t going to write anything on the recently found x64 architecture – related bugs. I’m not a kernel developer nor even a programmer and I can’t say that I have a solid understanding of what Meltdown and Spectre attacks are. Also there already is a ton of articles and posts written by people who have no grasp of the subject.
I’m however a malcontent and I find this a good way to express my feelings:
Intel: as a *BSD user, I am fucking pissed!
UPDATE: Intel released microcode updates that are already available for NetBSD (sysutils/intel-microcode-netbsd) and FreeBSD (sysutils/devcpu-data)
Bugs related to the x86-64 architecture were found by 4 different people or teams, who were willing to disclose this information to Intel (and maybe AMD and ARM Holdings). There is supposedly no way of knowing for how long these – introduced around 2006 – bugs were in use*.
Knowledge that something stinks around Intel has been made public – of all places – on Tumblr, 4chan and than reddit. Earlier there was the cyber.wtf post on possible issues with Speculative execution and Brian Krzanich – Intel’s CEO – selling as much Intel stock as possible (he is forced to still own some as per his agreement).
As I have an opportunity to do so publicly – I would like to thank every person involved in discovering and disclosing these bugs to Intel. Your work is huge!
How I see the timeline
- Google Project Zero informs Intel, AMD and ARM Holdings about tragic flaws in their CPUs
At some point other researchers inform Intel about the flaws.
- At some point someone notifies Linux kernel developers
- At some point someone notifies Apple
- At some point someone notifies Microsoft
- At some point someone notifies Amazon (that might have been later)
- “Negative Result: Reading Kernel Memory From User Mode” cyber.wtf post
- Intel’s CEO – Brian Krzanich – sells as much Intel shares as he is allowed to
- Apple quietly updates their software
- Linux kernel source changes made publicly visible
- “The mysterious case of the Linux Page Table Isolation patches” post on Tumblr
- “Intel bug incoming” /r/sysadmin thread
- Intel’s response “it’s not only us, we’re working with several operating system vendors”
- Google Project Zero posts their findings
- In response to Intel’s PR, spectreattack.com and meltdownattack.com sites are published with information on already patched operating systems: Linux, Windows and macOS
- OpenBSD – “We have received no non-public information” – Meltdown, aka “Dear Intel, you suck”
- Apple releases the statement on High Sierra, Sierra and El Capitan (macOS versions) updates made a month earlier – macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan
- FreeBSD – “notified of the issue in late December” – Response to Meltdown and Spectre
- End of embargo.
Meltdown, Spectre and BSD – the “pissed” part
Part of my work is UNIX-like systems administration – including BSDs and Linuces. As much as I am happy with Linux changes already made, I am beyond pissed about how the BSDs were handled by Intel – because they were not. FreeBSD Security Team received some heads-up just before Xmas, while OpenBSD, NetBSD and DragonflyBSD teams received no prior warnings.
Meltdown and Spectre attacks are hard to perform. It is a hard work to mitigate them in the software, as the bugs lay in the CPUs and are not fixable by microcode updates. Developers are trying to mitigate these bugs in a way that will deliver smallest performance losses. A lot of time consuming work is needed to fix CPU vendors’ mistakes. Linux developers had this time. BSD developers did not.
BSD user base too small?
However gamers and Netflix aren’t the only ones who use *BSD systems. I’d say that there is more than a few FreeBSD, NetBSD, OpenBSD and DragonFlyBSD servers on the internet.
In March 2017, Intel promised “more timely support to FreeBSD”. They knew about flaws in their CPUs in June and decided that a timely manner is the end of December – short before the embargo was to be lifted.
Secretive comments and publishing new Linux kernel code did not help. My wording may be strong, but I’m looking at Linux developers here as the people who leaked the information on the bugs. As it was embargo’ed – I see no real reason to publicly post the code that included speculative comments (pun intended) and macros for the whole world to see. Such work should be performed more secretively and not on public svn/git/web/whatever repos.
Just to be clear: I’m administering Linux and *BSD systems in my work. I am not trying to start any form of flame war.
Anyway, the embargo was to be lifted today (January 9; probably because it is the second Tuesday of the month and Windows patches were to be pushed today) and there are no fixes available yet for OpenBSD, NetBSD and FreeBSD. Matthew Dillon of the DragonFlyBSD project reports some work already done.
Linux kernel sources leaked during the embargo didn’t changed much.
Intel and Google (probably Intel more): it was your job to pick the correct people to whom the bugs can be disclosed. In my humble opinion you chose poorly by disclosing these issues with ONLY Apple, Microsoft, and the Linux Foundation, of OS vendors. You did much harm to the BSD community.
Intel: It’s your bugs. And you offered “more support” to the FreeBSD Foundation less than 3 months prior to being informed (my guess is that you knew much earlier) on the flaws in YOUR products. I don’t want to write more here as the wording would be too strong.
Meltdown, Spectre and Apple
Apple uses Intel’s procesors since 2006, when they switched from Freescale’s PowerPC architecture. This is exactly the time when bugs were introduced in the name of performance.
Apple made some updates in the early December. They were quiet about it (IIRC, it was just another “Thunderbolt firmware update” on macOS) but these updates were the kind of microsofty ones with information popping up several times.
At some point information on Sierra and El Capitan updates disappeared from Apple’s site. I’m really hoping that this is not their way of forcing people towards High Sierra, as this macOS version had a few very serious security flaws itself and many folks feel safer on an older OS X or macOS, and iOS versions.
As Apple is not only an operating system vendor – they deliver both software and hardware and they literally sold insecure products – it is expected that they will patch at least a few latest operating systems versions.