back to article OpenBSD releases Meltdown patch

OpenBSD's Meltdown patch has landed, in the form of a Version 11 code update that separates user memory pages from the kernel's – pretty much the same approach as was taken in the Linux kernel. A few days after the Meltdown/Spectre bugs emerged in January, OpenBSD's Phillip Guenther responded to user concerns with a post …

  1. Andy The Hat Silver badge

    Still concerning ...

    ... that the OS is being patched to cover a processor microcode issue.

    Perhaps microcode and/or firmware updates can't cover the basic design flaws but making every OS and firmware developer try to mitigate the CPU designers flaws with their own solutions, which may or may not work correctly, doesn't give me a particularly warm and fuzzy feeling of security.

    Imagine a car model designed with a door lock that accepts any key. While Ed the Mechanic's solution of putting a bit of tape over the keyholes of the cars in his garage would locally mitigate the problem it's neither a good solution or a general one. The manufacturer should be stepping up to replace the locks ...

    1. Anonymous Coward
      Anonymous Coward

      Re: Still concerning ...

      "... that the OS is being patched to cover a processor microcode issue."

      Meltdown is not a processor microcode issue, and cannot be fixed/mitigated with processor microcode updates. Spectre is not a processor microcode issue, but some cases can be somewhat mitigated with processor microcode changes.

      1. bombastic bob Silver badge
        Boffin

        Re: Still concerning ...

        "Meltdown is not a processor microcode issue"

        that may not actually be true. In the case of meltdown, it's a serious design flaw in which a memory access is being done during 'out of order' execution, that bypasses normal tests. "At some point" the page fault or protection fault will occur, but not until AFTER the memory location was actually read in.

        The problem here might be fixable with microcode if the microcode can be modified to avoid actually reading any memory location until after all "leading up to it" read operations have been access checked.

        As I understand it, Meltdown crafts code to execute 'out of order' by first reading a kernel memory location into a register, and then uses that value as an index into an array. The 'out of order execution' model ends up calculating the correct memory offset (even though there should have been an access violation) and then 'hits' the memory location within the array [and you use the side-channel technique of measuring which block of your array is now 'cached' after that]. A page fault or some kind of access violation occurs too long AFTER the kernel memory was accessed, and (specifically) NOT before reading the memory location within the array indexed by the kernel memory location's byte value, which is what makes this attack possible. [the array would be specifically designed for this and deliberately flushed from all caches before doing this, one byte at a time].

        Fixing this would involve determining that the initial access into kernel space was not valid, and thereby STOP the rest of the 'out of order / hyperthreading execution' stuff from happening. This assumes it's microcode, and not flawed silicon causing this. It also explains why Intel is vulnerable, and not AMD, because [apparently] the AMD people figured out that this was a BAD thing beforehand.

        And then I have to wonder if there's a slight performance hit by doing this in the silicon or in the microcode, therefore implying that Intel 'cheated' by allowing the flaw to be there to ge a slight boost in speed over AMD. This last part is pure speculation of course. It could have been accidental, too.

        So yeah, MAYBE Meltdown can be patched in microcode. Unless you've heard different from Intel... ?

        1. Maelstorm Bronze badge

          Re: Still concerning ...

          "So yeah, MAYBE Meltdown can be patched in microcode. Unless you've heard different from Intel... ?"

          Knowing how CPUs are designed, there's not much microcode in them these days. Certain complicated instructions like the string instruction are microcoded. However, in many cases, the control units for pipelined CPUs are basically just wired logic. Intel now uses a RISC core and the execution unit breaks up the instruction into several RISC instructions, or VLIW type instructions (Itanium anyone?). Privilege checking is done on the RISC side which does not use any microcode. However, some operations can be governed by the microcode. It depends on the specific design of the CPU.

        2. Doctor Syntax Silver badge

          Re: Still concerning ...

          "So yeah, MAYBE Meltdown can be patched in microcode. Unless you've heard different from Intel."

          AIUI initially Intel were saying it couldn't be fixed in microcode. Do they still say that?

  2. BinkyTheMagicPaperclip Silver badge

    Well it still works

    Being OpenBSD, upgrading is a doddle. No idea if it's any slower, possibly took a bit longer to load X, browser performance seems much of a muchness.

  3. zuul

    Nitpick

    The diff linked to is the proposed FreeBSD fix - not OpenBSD.

    1. bombastic bob Silver badge
      Devil

      Re: Nitpick

      really? well I'm actually looking forward to the FBSD fix.

  4. Zippy's Sausage Factory

    Personally I've tried OpenBSD and never really got very far with it. But then I guess since my start with Slackware* I've become weak and coddled by Ubuntu...

    * Just realised that's now over 20 years ago. Sheesh.

    1. Alistair
      Windows

      @Zippy

      Spend 8 months in Gentoo. That'll fix ya up.

    2. Peter Gathercole Silver badge

      @Zippy

      Just think how I feel.

      In October, I will celebrate the 40th anniversary of logging on to a UNIX system for the first time.

      Cue up the real grey-beards...

      1. jake Silver badge

        Re: @Zippy

        Unix Version 5 at Berkeley for me. Septemberish 1974, just prior to ken's arrival. Where does the time go?

        Zippy, might want to try Slackware again. Especially if you dislike systemd.

        (I do not now, and never have sported a beard. Long, grey or otherwise.)

    3. HieronymusBloggs

      "I've tried OpenBSD and never really got very far with it."

      I recently switched my desktop PC to OpenBSD after nearly two decades of Debian use. I was pleasantly surprised by how easy it is to set up now (much easier than 10 years ago when I tried it previously). It reminds me of Debian from around 2000 in terms of leanness and simplicity, but more polished and user-friendly.

      1. Nate Amsden

        really? I have used OpenBSD mainly on firewalls for the past 13 years. Most recently installed 6.0 shortly after it came out, and the setup process was basically identical to what I remembered 13 years ago(OpenBSD 3.x ??). Most vividly remember the funky disk setup tool.

        I'm not trying to say it is a terrible setup I guess I give them props to maintaining a stable user interface.

        Maybe X11 specific stuff has improved a lot though am not sure haven't tried X on a local display on openbsd.

        I have two more firewall appliances(http://www.mini-box.com/ALIX-APU-2C2-AMD-G-Series-GX-412TC?sc=8&category=1361) that have been sitting around since last year that I need to put OpenBSD on, first system has been rock solid, very nice little units, I used Soekris before though my old Soekris boxes can't handle my 250meg internet link.

        1. HieronymusBloggs

          "I have used OpenBSD mainly on firewalls for the past 13 years. Most recently installed 6.0 shortly after it came out, and the setup process was basically identical to what I remembered 13 years ago"

          I only tried it briefly 10 years ago, but don't remember it being so easy to set up as a desktop system. With over 9000 packages available now, and a package management system that handles dependencies automatically it is not difficult.

          It took me less time to set up a 6.2 desktop than it took to set up the Debian 9 equivalent. (Having said that, every new version of Debian seems to have more 'fashion-statement' stuff which I have to undo to make it usable).

        2. BinkyTheMagicPaperclip Silver badge

          The installation program is fairly similar - it's actually more streamlined as time goes on, and tries to make sensible default decisions.

          Probably one of the easiest and quickest installs out there. The disk utilities are very flexible but fiddly if you want to do anything unusual, for a disk dedicated to OpenBSD, or with a limited number of existing partitions it's a doddle.

      2. Zippy's Sausage Factory

        @HieronymusBloggs I might try it again. My problem is my inherent laziness, not OpenBSD itself. :)

  5. Maelstorm Bronze badge

    Well...

    ...OpenBSD is actually respected as being the most secure OS in the world. Complement Theo de Raadt and he will thank you. Theo has some words to say about the Meltdown and Spectre flaws...aimed straight at Intel, and he was not too kind about it either...then agan, neither was Linus Torvalds. I found out 2 days ago that FreeBSD has been working on a fix. I was wondering if I had to code a fix myself and submit it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon