Kernel PTI not enabled by default on Atom C3558 in latest 2.4.4RC



  • I've just upgraded my router to a SuperMicro box with an Intel Atom C3558. This chip is known to be vulnerable to the "Meltdown" vulnerabililty.

    Running this release:

    2.4.4-RC (amd64)
    built on Tue Sep 18 17:52:29 EDT 2018
    FreeBSD 11.2-RELEASE-p3

    It appears kernel page table isolation is not enabled by default:

    [2.4.4-RC][admin@gateway2.chucko.com]/root: sysctl vm.pmap.pti
    vm.pmap.pti: 0
    [2.4.4-RC][admin@gateway2.chucko.com]/root: more /boot/loader.conf
    kern.cam.boot_delay=10000
    kern.ipc.nmbclusters="1000000"
    kern.ipc.nmbjumbop="524288"
    kern.ipc.nmbjumbo9="524288"
    kern.geom.label.disk_ident.enable="0"
    kern.geom.label.gptid.enable="0"
    zfs_load="YES"
    autoboot_delay="3"
    hw.usb.no_pf="1"
    [2.4.4-RC][admin@gateway2.chucko.com]
    

    Is this a pfSense configuration problem or an upstream FreeBSD issue?


  • Netgate Administrator

    That is expected. There is a checkbox to enable it in System > Advanced > Miscellaneous if you need it.

    But if you're running bare metal on that box and don't have untrusted users with logins to the firewall you probably don't.

    Steve



  • Has anyone tested with Kernel PTI to know how much performance has decreased?



  • @stephenw10 The checkbox is checked by default on this installation. If I uncheck it, /boot/loader.conf gets an additional line 'vm.pmap.pti="0"'. Rechecking it makes that line go away.

    This is a bare-metal installation and there are no untrusted users. But I'm still concerned that the default behavior leaves it vulnerable, AND that there's no way to turn it on in the GUI despite the appearance that it's turned on by default.

    Somewhere there's a disconnect between the expected and the actual behavior of the system with respect to KPTI.

    I would manually add the line in /boot/loader.conf, but previous experience with CPU thermal control on my old Atom D525 box says I'd have to redo that every time I update pfSense, as the defaults get rewritten on every update.

    I wouldn't class this as a show-stopper, but definitely something to check on other platforms, and figure out if it's pfSense or a broken default in FreeBSD.

    Shall I file a ticket in redmine?


  • Netgate Administrator

    If you make custom loader lines they should be added to /boot/loader.conf.local. That is retained across upgrades.

    What did you upgrade from?

    What you are seeing seems the opposite of what I expect and what I see on test boxes here. With that box unchecked PTI is active and I see vm.pmap.pti: 1.

    Steve



  • I'm also running a board with a C3558, the "Disable the Kernel PTI" box is not checked, and I don't see vm.pmap.pti: 1 in my /boot/loader.conf file.

    My system was a clean load of 2.4.4 beta, probably early to mid-August.

    I'll admit that I haven't checked or unchecked this box to change the setting, but my understanding from what you're posting Steve is that if it's not checked, there should be that line in the /boot/loader.conf file. And mine isn't that way.



  • @stephenw10 OK, I missed that about loader.conf.local.

    This was a clean installation from scratch on a brand-new box. I had installed a copy of FreeBSD 11.2 to check out the hardware, but I wiped the SSD and changed the format from UFS to ZFS when I installed pfSense.

    From the first time I brought up the dashboard, it has read "Kernel PTI: Disabled". Using sysctl at the command line confirmed it.


  • Netgate Administrator

    Hmm, what I expect to see on a clean install is:

    The check box is unchecked.
    The dashboard reports Kernel PTI is enabled.
    The sysctl is set to 1.
    There is no loader line.

    If you check the box that is reversed and the loader line setting it to 0 is added.

    Steve



  • I'm sorry for the confusion, I had the state of the checkbox backwards in my report. The "Disable KPTI" box was unchecked by default. But KPTI was not enabled. That's the only difference from what you describe.

    The box is a SuperMicro SYS-E9-200A. It uses their A2SDi-4C-HLN4F motherboard.



  • Make sure you have a BIOS with the required microcode update, AFAIK Kernel PTI will not self-activate without it.



  • I have the latest BIOS on this system, version 1.1, dated 8/28/2018.



  • @stephenw10 /boot/loader.conf.local was NOT preserved when I upgraded to 2.4.4 RELEASE.

    This is a bug.

    Fortunately KPTI is enabled by default this time.


  • Netgate Administrator

    Please open a bug report and give as much detail as possible. https://redmine.pfsense.org

    Steve



  • I have the same issue on my Netgate XG-7100 here:

    • Hardware: XG-7100
    • CPU: C3558
    • BIOS: ADI_PLCC-01.00.00.10
    • 2.4.4-RELEASE

    The kernel PTI checkbox is unchecked and the dashboard says Kernel PTI is disabled. /boot/loader.conf doesn't contain vm.pmap.pti: 1.


  • Netgate Administrator

    Was that after upgrading to 2.4.4 or a clean install?

    Steve



  • I thought that Atom C3xxx support was added with FreeBSD 11.2, so at some point it would have been a clean install of 2.4.4... though it could have been an upgrade from beta to release...

    BTW, I have the same SuperMicro board as the OP, with the same BIOS update, and I'm still not seeing PTI enabled, even after checking and unchecking the advanced setting box. I haven't tried forcing it myself with loader.conf.local. My system was running 2.4.4 snapshots, and is currently running 2.4.4 release, though it was an upgrade from the RC version.


  • Rebel Alliance Developer Netgate

    If PTI defaults to off, congratulations, your CPU is not affected by Meltdown and does not need PTI.

    Some extra clarification text here: https://redmine.pfsense.org/issues/9026


  • Netgate Administrator

    It was for C3000 in general but we backported the drivers for our XG-7100 into 2.4.3.

    However looking into this kernel pti can be disabled by default if the CPU indicates it is not required using the IA32_ARCH_CAP_RDCL_NO bit:
    https://github.com/freebsd/freebsd/blob/master/sys/x86/x86/identcpu.c#L1627

    So if you have a new enough CPU you may see this.

    We have put in some changes to indicate that. The checkbox is effectively 'forced disabled' or default. There is no force enabled option currently.

    Steve



  • @virgiliomi As of 2.4.4 release, my system is showing KPTI enabled on the dashboard.