Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Kernel PTI not enabled by default on Atom C3558 in latest 2.4.4RC

    2.4 Development Snapshots
    7
    19
    1486
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Chucko last edited by

      I've just upgraded my router to a SuperMicro box with an Intel Atom C3558. This chip is known to be vulnerable to the "Meltdown" vulnerabililty.

      Running this release:

      2.4.4-RC (amd64)
      built on Tue Sep 18 17:52:29 EDT 2018
      FreeBSD 11.2-RELEASE-p3

      It appears kernel page table isolation is not enabled by default:

      [2.4.4-RC][admin@gateway2.chucko.com]/root: sysctl vm.pmap.pti
      vm.pmap.pti: 0
      [2.4.4-RC][admin@gateway2.chucko.com]/root: more /boot/loader.conf
      kern.cam.boot_delay=10000
      kern.ipc.nmbclusters="1000000"
      kern.ipc.nmbjumbop="524288"
      kern.ipc.nmbjumbo9="524288"
      kern.geom.label.disk_ident.enable="0"
      kern.geom.label.gptid.enable="0"
      zfs_load="YES"
      autoboot_delay="3"
      hw.usb.no_pf="1"
      [2.4.4-RC][admin@gateway2.chucko.com]
      

      Is this a pfSense configuration problem or an upstream FreeBSD issue?

      1 Reply Last reply Reply Quote 0
      • stephenw10
        stephenw10 Netgate Administrator last edited by

        That is expected. There is a checkbox to enable it in System > Advanced > Miscellaneous if you need it.

        But if you're running bare metal on that box and don't have untrusted users with logins to the firewall you probably don't.

        Steve

        C 1 Reply Last reply Reply Quote 0
        • S
          sisko212 last edited by

          Has anyone tested with Kernel PTI to know how much performance has decreased?

          1 Reply Last reply Reply Quote 0
          • C
            Chucko @stephenw10 last edited by

            @stephenw10 The checkbox is checked by default on this installation. If I uncheck it, /boot/loader.conf gets an additional line 'vm.pmap.pti="0"'. Rechecking it makes that line go away.

            This is a bare-metal installation and there are no untrusted users. But I'm still concerned that the default behavior leaves it vulnerable, AND that there's no way to turn it on in the GUI despite the appearance that it's turned on by default.

            Somewhere there's a disconnect between the expected and the actual behavior of the system with respect to KPTI.

            I would manually add the line in /boot/loader.conf, but previous experience with CPU thermal control on my old Atom D525 box says I'd have to redo that every time I update pfSense, as the defaults get rewritten on every update.

            I wouldn't class this as a show-stopper, but definitely something to check on other platforms, and figure out if it's pfSense or a broken default in FreeBSD.

            Shall I file a ticket in redmine?

            1 Reply Last reply Reply Quote 0
            • stephenw10
              stephenw10 Netgate Administrator last edited by stephenw10

              If you make custom loader lines they should be added to /boot/loader.conf.local. That is retained across upgrades.

              What did you upgrade from?

              What you are seeing seems the opposite of what I expect and what I see on test boxes here. With that box unchecked PTI is active and I see vm.pmap.pti: 1.

              Steve

              C 2 Replies Last reply Reply Quote 0
              • MikeV7896
                MikeV7896 last edited by

                I'm also running a board with a C3558, the "Disable the Kernel PTI" box is not checked, and I don't see vm.pmap.pti: 1 in my /boot/loader.conf file.

                My system was a clean load of 2.4.4 beta, probably early to mid-August.

                I'll admit that I haven't checked or unchecked this box to change the setting, but my understanding from what you're posting Steve is that if it's not checked, there should be that line in the /boot/loader.conf file. And mine isn't that way.

                The S in IOT stands for Security

                1 Reply Last reply Reply Quote 0
                • C
                  Chucko @stephenw10 last edited by

                  @stephenw10 OK, I missed that about loader.conf.local.

                  This was a clean installation from scratch on a brand-new box. I had installed a copy of FreeBSD 11.2 to check out the hardware, but I wiped the SSD and changed the format from UFS to ZFS when I installed pfSense.

                  From the first time I brought up the dashboard, it has read "Kernel PTI: Disabled". Using sysctl at the command line confirmed it.

                  1 Reply Last reply Reply Quote 0
                  • stephenw10
                    stephenw10 Netgate Administrator last edited by

                    Hmm, what I expect to see on a clean install is:

                    The check box is unchecked.
                    The dashboard reports Kernel PTI is enabled.
                    The sysctl is set to 1.
                    There is no loader line.

                    If you check the box that is reversed and the loader line setting it to 0 is added.

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • C
                      Chucko last edited by

                      I'm sorry for the confusion, I had the state of the checkbox backwards in my report. The "Disable KPTI" box was unchecked by default. But KPTI was not enabled. That's the only difference from what you describe.

                      The box is a SuperMicro SYS-E9-200A. It uses their A2SDi-4C-HLN4F motherboard.

                      1 Reply Last reply Reply Quote 0
                      • Grimson
                        Grimson Banned last edited by Grimson

                        Make sure you have a BIOS with the required microcode update, AFAIK Kernel PTI will not self-activate without it.

                        1 Reply Last reply Reply Quote 0
                        • C
                          Chucko last edited by

                          I have the latest BIOS on this system, version 1.1, dated 8/28/2018.

                          1 Reply Last reply Reply Quote 0
                          • C
                            Chucko @stephenw10 last edited by Chucko

                            @stephenw10 /boot/loader.conf.local was NOT preserved when I upgraded to 2.4.4 RELEASE.

                            This is a bug.

                            Fortunately KPTI is enabled by default this time.

                            1 Reply Last reply Reply Quote 0
                            • stephenw10
                              stephenw10 Netgate Administrator last edited by

                              Please open a bug report and give as much detail as possible. https://redmine.pfsense.org

                              Steve

                              1 Reply Last reply Reply Quote 0
                              • M
                                maoe-tsuru last edited by maoe-tsuru

                                I have the same issue on my Netgate XG-7100 here:

                                • Hardware: XG-7100
                                • CPU: C3558
                                • BIOS: ADI_PLCC-01.00.00.10
                                • 2.4.4-RELEASE

                                The kernel PTI checkbox is unchecked and the dashboard says Kernel PTI is disabled. /boot/loader.conf doesn't contain vm.pmap.pti: 1.

                                1 Reply Last reply Reply Quote 0
                                • stephenw10
                                  stephenw10 Netgate Administrator last edited by

                                  Was that after upgrading to 2.4.4 or a clean install?

                                  Steve

                                  1 Reply Last reply Reply Quote 0
                                  • MikeV7896
                                    MikeV7896 last edited by

                                    I thought that Atom C3xxx support was added with FreeBSD 11.2, so at some point it would have been a clean install of 2.4.4... though it could have been an upgrade from beta to release...

                                    BTW, I have the same SuperMicro board as the OP, with the same BIOS update, and I'm still not seeing PTI enabled, even after checking and unchecking the advanced setting box. I haven't tried forcing it myself with loader.conf.local. My system was running 2.4.4 snapshots, and is currently running 2.4.4 release, though it was an upgrade from the RC version.

                                    The S in IOT stands for Security

                                    C 1 Reply Last reply Reply Quote 0
                                    • jimp
                                      jimp Rebel Alliance Developer Netgate last edited by

                                      If PTI defaults to off, congratulations, your CPU is not affected by Meltdown and does not need PTI.

                                      Some extra clarification text here: https://redmine.pfsense.org/issues/9026

                                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                      Need help fast? Netgate Global Support!

                                      Do not Chat/PM for help!

                                      1 Reply Last reply Reply Quote 1
                                      • stephenw10
                                        stephenw10 Netgate Administrator last edited by

                                        It was for C3000 in general but we backported the drivers for our XG-7100 into 2.4.3.

                                        However looking into this kernel pti can be disabled by default if the CPU indicates it is not required using the IA32_ARCH_CAP_RDCL_NO bit:
                                        https://github.com/freebsd/freebsd/blob/master/sys/x86/x86/identcpu.c#L1627

                                        So if you have a new enough CPU you may see this.

                                        We have put in some changes to indicate that. The checkbox is effectively 'forced disabled' or default. There is no force enabled option currently.

                                        Steve

                                        1 Reply Last reply Reply Quote 1
                                        • C
                                          Chucko @MikeV7896 last edited by

                                          @virgiliomi As of 2.4.4 release, my system is showing KPTI enabled on the dashboard.

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post