PfSense 2.4.3 snapshots with Kernel PTI mitigations available for testing!

ivor

pfSense version 2.4.3 snapshots with Kernel PTI mitigations for #Meltdown are now available for download. We would love to hear about performance results from you! We have exposed the kernel option to enable / disable same.

https://www.pfsense.org/snapshots/

PiBa

For my testbox it always shows as disabled on the dashboard.. (and the sysctl vm.pmap.pti is always 0).

System Information   
Version	2.4.3-DEVELOPMENT (amd64) 
built on Fri Feb 23 13:50:19 CST 2018 
FreeBSD 11.1-RELEASE-p6 

The system is on the latest version.
Version information updated at Sat Feb 24 14:59:14 CET 2018	  
Kernel PTI	Disabled

While the loader.conf does not contain vm.pmap.pti="0" at that time.

After enabling/disabling the option in gui misc settings a few times my loader.conf looks like this.. (4x the pti option..):

kern.cam.boot_delay=10000
kern.geom.label.disk_ident.enable="0"
kern.geom.label.gptid.enable="0"
vfs.zfs.min_auto_ashift=12
zfs_load="YES"
vm.pmap.pti="0"
vm.pmap.pti="0"
vm.pmap.pti="0"
autoboot_delay="3"
hw.usb.no_pf="1"
vm.pmap.pti="0"

Think it needs a bit more work.?.

ivor

Did you reboot after making changes? We'll add that to description in the next snaps.

PiBa

Yes rebooted several times..

It seems to be disabled by default in the kernel, and 'forcefully' disabled by the setting in loader.conf when disabled through the gui. Which is never removed by the gui again..
I changed the loader.conf manually to have vm.pmap.pti="1" rebooted and then dashboard will say "Enabled".

As for actual effects of the setting, i have not tried any performance testing, or seen any problems sofar myself.

bfeitell

It might be helpful to know whether you are running AMD or Intel in your test box.  I have not read through the development threads for the page table isolation code under FreeBSD, but under Linux the code includes CPU detection.  In Linux, the PTI code is activated automatically only on Intel hardware to mitigate Meltdown.  AMD processors are not susceptible to Meltdown, but PTI may be forced anyway with kernel boot parameters.  I wonder if you are experiencing something similar here.

PiBa

Ah that could explain why its disabled by default from the kernel indeed.. Testbox uses this AMD cpu:

CPU Type	AMD Phenom(tm) 9850 Quad-Core Processor
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: No

Still leaves the strange loader.conf behavior thought where the vm.pmap.pti="0" setting gets added multiple times upon rebooting..

ivor

GPZ Variant 3 (Rogue Data Cache Load or Meltdown) is not applicable to AMD processors.

We believe AMD processors are not susceptible due to our use of privilege level protections within paging architecture and no mitigation is required.

From https://www.amd.com/en/corporate/speculative-execution

As bfeitell notices, it's not automatic on AMD but it's also not necessary either. We will fix a few more details. Thanks for your feedback PiBa and bfeitell!

loos

@PiBa:

Still leaves the strange loader.conf behavior thought where the vm.pmap.pti="0" setting gets added multiple times upon rebooting..

This is fixed now PiBa, thanks.