Page MenuHomeFreeBSD
Differential D56068

stand: Force disable RETPOLINE for boot loaders
ClosedPublic
Actions

Authored by emaste on Tue, Mar 24, 7:43 PM.
Tags
None
Referenced Files
F151002645: D56068.id174244.diff
Sun, Apr 5, 10:00 AM
F150992113: D56068.id174266.diff
Sun, Apr 5, 8:36 AM
Unknown Object (File)
Sun, Apr 5, 1:03 AM
Unknown Object (File)
Fri, Apr 3, 2:00 PM
Unknown Object (File)
Wed, Apr 1, 8:22 AM
Unknown Object (File)
Sun, Mar 29, 5:45 PM
Unknown Object (File)
Sun, Mar 29, 5:25 AM
Unknown Object (File)
Sun, Mar 29, 12:53 AM
View All 11 Files
Subscribers
dab

Details

Reviewers
dim
imp
manu
Commits
rG61f78130c2f3: stand: Force disable RETPOLINE for boot loaders
Summary
Boot loaders do not require speculative execution protection, and may be
too large if enabled.

Reported by:    Shawn Webb
Sponsored by:   The FreeBSD Foundation

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

emaste created this revision.Tue, Mar 24, 7:43 PM
Herald added a reviewer: manu. · View Herald TranscriptTue, Mar 24, 7:43 PM
Herald added a subscriber: dab. · View Herald Transcript
emaste requested review of this revision.Tue, Mar 24, 7:43 PM
dim accepted this revision.Tue, Mar 24, 7:46 PM

LGTM.

This revision is now accepted and ready to land.Tue, Mar 24, 7:46 PM
imp accepted this revision.Tue, Mar 24, 8:00 PM
imp added inline comments.
stand/defs.mk
14

Are there other crazy, in the boot loader context, mitigations we should also turn off?

emaste added inline comments.Tue, Mar 24, 8:06 PM
stand/defs.mk
14

Possibly INIT_ALL=none although I'm less convinced of that one. It can be a reliability improvement / defense against bugs.

There's also an argument that some of these should not be disabled, as the loader may be exposed to malicious input (either from the console or from the network). So I'm inclined to make changes incrementally here and only when needed and sensible, as with RETPOLINE.

imp added inline comments.Tue, Mar 24, 8:37 PM
stand/defs.mk
14

True, kinda.
First, if you have access to the loader's keyboard, it's game over: you already own the system.
Second, even if all the 'antikeyboard interrupt' stuff is turned on, there's no way to send it a series of request that you can measure the timing of.
Third, for netboot, we don't accept connections, so there's no way to mount the typical attacks that you see for these mitigations.
Forth, for the userland programs, generally you already have elevated privs if you can interact with them...

So I lean more towards turn them all off, but doing them one at a time in a thoughtful manner is likely prudent...

Closed by commit rG61f78130c2f3: stand: Force disable RETPOLINE for boot loaders (authored by emaste). · Explain WhyWed, Mar 25, 2:36 AM
This revision was automatically updated to reflect the committed changes.
emaste added a commit: rG61f78130c2f3: stand: Force disable RETPOLINE for boot loaders.
emaste added inline comments.Wed, Mar 25, 1:18 PM
stand/defs.mk
14

For keyboard: imagine a locked down kiosk type application that has a service option behind a password in the loader. For network, imagine a signed kernel or MD root loading over an untrusted network. Although some examples might be a bit far-fetched there is certainly an attack surface presented by the boot loader.

Revision Contents
Changeset List

PathSize
stand/
1 line

Diff 174266

View Options

stand/defs.mk

Loading...