Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Kernel PTI not enabled by default on Atom C3558 in latest 2.4.4RC

    Scheduled Pinned Locked Moved 2.4 Development Snapshots
    19 Posts 7 Posters 3.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • GrimsonG
      Grimson Banned
      last edited by Grimson

      Make sure you have a BIOS with the required microcode update, AFAIK Kernel PTI will not self-activate without it.

      1 Reply Last reply Reply Quote 0
      • C
        Chucko
        last edited by

        I have the latest BIOS on this system, version 1.1, dated 8/28/2018.

        1 Reply Last reply Reply Quote 0
        • C
          Chucko @stephenw10
          last edited by Chucko

          @stephenw10 /boot/loader.conf.local was NOT preserved when I upgraded to 2.4.4 RELEASE.

          This is a bug.

          Fortunately KPTI is enabled by default this time.

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Please open a bug report and give as much detail as possible. https://redmine.pfsense.org

            Steve

            1 Reply Last reply Reply Quote 0
            • M
              maoe-tsuru
              last edited by maoe-tsuru

              I have the same issue on my Netgate XG-7100 here:

              • Hardware: XG-7100
              • CPU: C3558
              • BIOS: ADI_PLCC-01.00.00.10
              • 2.4.4-RELEASE

              The kernel PTI checkbox is unchecked and the dashboard says Kernel PTI is disabled. /boot/loader.conf doesn't contain vm.pmap.pti: 1.

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Was that after upgrading to 2.4.4 or a clean install?

                Steve

                1 Reply Last reply Reply Quote 0
                • MikeV7896M
                  MikeV7896
                  last edited by

                  I thought that Atom C3xxx support was added with FreeBSD 11.2, so at some point it would have been a clean install of 2.4.4... though it could have been an upgrade from beta to release...

                  BTW, I have the same SuperMicro board as the OP, with the same BIOS update, and I'm still not seeing PTI enabled, even after checking and unchecking the advanced setting box. I haven't tried forcing it myself with loader.conf.local. My system was running 2.4.4 snapshots, and is currently running 2.4.4 release, though it was an upgrade from the RC version.

                  The S in IOT stands for Security

                  C 1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    If PTI defaults to off, congratulations, your CPU is not affected by Meltdown and does not need PTI.

                    Some extra clarification text here: https://redmine.pfsense.org/issues/9026

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 1
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      It was for C3000 in general but we backported the drivers for our XG-7100 into 2.4.3.

                      However looking into this kernel pti can be disabled by default if the CPU indicates it is not required using the IA32_ARCH_CAP_RDCL_NO bit:
                      https://github.com/freebsd/freebsd/blob/master/sys/x86/x86/identcpu.c#L1627

                      So if you have a new enough CPU you may see this.

                      We have put in some changes to indicate that. The checkbox is effectively 'forced disabled' or default. There is no force enabled option currently.

                      Steve

                      1 Reply Last reply Reply Quote 1
                      • C
                        Chucko @MikeV7896
                        last edited by

                        @virgiliomi As of 2.4.4 release, my system is showing KPTI enabled on the dashboard.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.