NetBSD 8.0, a major release of the BSD-based OS providing portability across many architectures, brings mitigations for the Spectre V2/V4, Meltdown, and Lazy FPU vulnerabilities, along with many new features and bug fixes.
NetBSD implements Meltdown mitigation through separate virtual spaces (SVS), which unmap kernel pages when running in user-space. This is enabled by defaults for all vulnerable CPUs and can be disabled manually running.
# sysctl -w machdep.svs.enabled=0
Disabling SVS can be desirable when security requirements are not so strict and you prefer maximixing performance.
Spectre V2 can be tackled using a set of mitigations, both in hardware and in software:
-
Intel IRBS: this is enabled if the underlying CPU is detected to support it. You can disable it running
# machdep.spectre_v2.hwmitigated = 0
-
AMD DIS_IND: this is an hardware mitigations for AMD CPUs. It can be disabled by unsetting the
hwmitigation
option as shown above -
Software mitigation (retpoline) for all other vulnerable CPUs. This can be disabled running
# machdep.spectre_v2.swmitigated = 0
For Spectre V4, NetBSD 8 provides two main mitigations, Intel SSBD and AMD MONARCH, which can be disabled running machdep.spectre_v4.mitigated = 0
.
Lazy FPU is mitigated making the FPU “eager”, that is forcing it to clean its registers on a process swap. It is interesting to note that the approach taken by NetBSD 8, i.e., enabling FPU eager behaviour only for vulnerable FPUs, differs from Linux’s, where the eagerfpu=on
kernel boot argument will affect all FPUs, whether they are vulnerable or not.
According to the NetBSD team, all these migrations will not be backported to older release branches.
We urge all users to try to update to NetBSD 8.0 as soon as possible, and avoid running older NetBSD releases unless a local security expert has analyzed the setup.
Other features of NetBSD 8 are support for USB 3.0, in-kernel audio mixer, supervisor mode access prevention, reproducible builds, which guarantee the same builds results from the same source tree, full userland debug information, and many more. Read the full details in the official release notes.