Kernel PTI disabled



  • Question regarding kernel PTI. In the advanced options, I do NOT check the box "Disable the kernel PTI." My understanding is that in this case kernel PTI is ENABLED. Yet under system information on the dashboard, Kernel PRI is listed as DISABLED. Is this a bug in pfsense or in my head?


  • Netgate Administrator

    What hardware are you running?

    Steve



  • I'm running with a AMD A6-7400K Radeon R5 and it looks like Kernel PTI isn't supported?  The option is unchecked, as default.



  • The CPU (being AMD) is not vulnerable to meltdown etc so whatever you select in the options makes no difference to the kernel.



  • I noticed this as well on my APU2.



  • Thank you for the responses and the key pointer. I totally "forgot" that the pfsense instance in question is indeed running on an AMD APU, which is not sensitive to the metldown bug addressed by this setting. Case closed.



  • But what happens if on an AMD processos (FX-8350) you have an emulated Westmere E56xx/L56xx/X56xx (Nehalem-C) CPU?

    I have PTI DISABLED (no matter if I put or not the check in the advanced option) so it detects the real CPU instead of the emulated one?


  • Netgate Administrator

    Seems like it's not emulating it very well then if the host CPU can still be detected.

    Does it emulate the Meltdown vulnerabilities?  ;)  If not you probably don't need PTI anyway.

    Steve



  • If your vendor, HP in my case, has released a BIOS upgrade for Spectre/Meltdown do you need to enable Kernel PTI? Does it matter?


  • Netgate Administrator

    Enabling it in pfSense prevents users/processes access the memory regions of other users/processes by exploiting the Meltdown vulnerability.

    As I understand it that only affects users/processes running in pfSense not pfSense as a VM. You need to be looking for a fix in the hypervisor for that.

    In general Meltdown/Spectre has minimal impact for most pfSense use cases where there are not multiple users with different privilege levels running on the firewall. IMO  ;)

    Still better to have it available than not though.

    Steve