XG-1537 coreboot update issue



  • Anyone else have Netgate-shipped XG-1537 units that have the coreboot update tool installed, but the tool won't recognize it as official Netgate hardware? I've got two in this situation. I'd heard something a while back about the issue getting patched on the tool end, but it hasn't seemed to have occurred yet, and I've tested on the latest coreboot tool on 2.4.3-p1 and 2.4.4RC (0.23 and 0.25).



  • No one? I suppose I could find the model of Supermicro board it uses and update the BIOS from their site, but I don't know if Netgate made any changes/tweaks to it, so that seems risky. Anyone at all have any experiences with this?


  • Netgate Administrator

    Sorry missed you post here.

    The XG-1537 does not run Coreboot so the package does not recognise it. You can remove that package if you wish.

    I'm not aware of a BIOS update for that which includes anything we would consider a required update. Unless you have some particular reason to update I would advise against it.

    Steve



  • Thanks for the clarification. I was checking because apparently the BIOS has the required CPU microcode to enable efficient implementation of Intel's Spectre workarounds. I've been rolling out BIOS updates on our DIYed pfSense firewalls (we have a bunch based on supermicro boards like this one), as well as the coreboot updates on the netgate-sourced boxes (those are mostly for the C2000 bug, though). These just fell in the gap between the two, I guess; I'll doublecheck everything, make sure there are rollback options, and update using the supermicro BIOS if it seems safe.

    I know it's not exactly urgent or a high-exposure vulnerability in this context. It does help ease the minds of management and auditors when you've rolled out fixes for highly-publicized vulnerabilities, however remote their chances for exploitation.


  • Netgate Administrator

    If you're on 2.4.3(?) or higher you should see the microcode updated by the OS at boot anyway if it's available.

    If the microcode then supports IBPB you can enable it by setting hw.ibrs_disable to 0 as a system tunable.

    See: https://wiki.freebsd.org/SpeculativeExecutionVulnerabilities#Spectre:Variant_2.28CVE-2017-5715.29

    Steve



  • That's great info, thanks!



  • As a more general question, is it under consideration to expose a GUI element for these mitigations, similar to the Kernel PTI mitigation switch? It might be useful for some folks.


  • Netgate Administrator

    I believe the thinking at the time was that retpoline will replace IBPB as a mitigation for Spectre. This is just a workaround until that happens so a gui element was not included.

    Feel free to open a feature request at our redmine though.

    Steve



  • That makes sense. Thanks!


Log in to reply