📬 Retbleed Fix raubt Linux-VMs bis zu 70% Leistung
#Hacking #Softwareentwicklung #AMDZen #IntelCore #LinuxKernel #Retpoline #Seitenkanalattacke #Spectre #VMwareESXi https://tarnkappe.info/artikel/hacking/retbleed-fix-raubt-linux-vms-bis-zu-70-leistung-255588.html

After testing, I've re-enabled #retpoline on #HardenedBSD 13-CURRENT/amd64 now that at least some of the issues have been resolved due to the #llvm 8.0.0 import (we inherit the import from our upstream, #FreeBSD).

Well, the #Windows (yes, I use Windows... unfortunately...) patches for #Meltdown/#Spectre really do fuckover my PC heavily...

Ran some #benchmarks with them enabled then ran some benchmarks with them disabled...
The difference was 45%!!!???

Seriously, what the fuck... I though my PC was getting outdated af with how slow it is at times but it's just #Microsoft fucking me over again...
Let's hope #Retpoline in W10.1903 will do a better job at this...

#FreeBSD enables support for #retpoline in base: https://svnweb.freebsd.org/changeset/base/339511

#HardenedBSD has had it enabled for a few months for amd64.

Compiler support for #retpoline merged into #FreeBSD 11-STABLE: https://svnweb.freebsd.org/base?view=revision&revision=331219

The clang/llvm 6.0.0 #retpoline patch landed in #FreeBSD HEAD: https://svnweb.freebsd.org/base?view=revision&revision=328817

It's nice to see it in FreeBSD. This landed in #HardenedBSD a couple weeks back.

Next, FreeBSD needs to switch to ld.lld as the default linker in order to actually make use of retpoline. Since HardenedBSD already switched to ld.lld, we're able to make full use of retpoline.

Importing the retpoline patch is a good first step.

IBRS/IBPB support lands in #FreeBSD HEAD: https://svnweb.freebsd.org/changeset/base/328625

We'll make good use of this in #HardenedBSD, especially since we have #retpoline applied to the entire ecosystem in 12-CURRENT/amd64.

#Spectre #infosec

In the latest #HardenedBSD 12-CURRENT/amd64, #Tor is compiled with:

1. PIE
2. full RELRO
3. CFI (with the cfi-icall scheme disabled)
4. SafeStack
5. #retpoline

If you're looking at deploying a #Tor relay or exit node, please consider deploying on HardenedBSD.

Using HardenedBSD will help keep you, the Tor network, and its users more secure. Let's piss off the bad guys together. :)

The #HardenedBSD 12-CURRENT/amd64 package repo has been updated with #retpoline applied to every package.

This makes HardenedBSD the first OS to apply retpoline to the entire operating system experience (world + kernel + packages).

#FreeBSD #infosec #Spectre

GCC 7.3 released
https://lwn.net/Articles/745385/

#GCC 7.3 is out. This is mainly a bug-fix release, but it does also contain the #retpoline support needed to build the #kernel (and perhaps other code) with resistance to the #Spectre variant-2 vulnerability.

I spy with my little eye #retpoline landing in #HardenedBSD 12-CURRENT/amd64:

https://github.com/freebsd/freebsd/compare/c74683d96e8c5009273cc8ba2fbe8773e0129e6d...8c893bf330f44b4ccc2dfb322095d8ce8da4a5a5

#FreeBSD #infosec #Meltdown #Spectre

Once the main #retpoline patch lands in #HardenedBSD 12-CURRENT, I'll start on auditing the hand-written assembly in the kernel for indirect jumps and manually apply retpoline there, too.

Full disk encrypted APU3c4 fully ready to go mobile. My new mobile #Tor setup with #HardenedBSD with the PTI and #retpoline patches applied.

Going to migrate one of my APU2c4 devices over to the #retpoline #HardenedBSD feature branch. This will be my first AMD system testing retpoline on HardenedBSD.

Migrated my work laptop over to the #retpoline #HardenedBSD feature branch this morning. Everything went smoothly.

Ok, simple tests reveal that rc runs fine with #retpoline enabled, but apparently segfaults when compiled with #CFI enabled, not sure why that is at this point, also not sure when I'll be able to test it out more, but I'm back to using the best ${SHELL} available

Upgraded my #HardenedBSD instance to test the #retpoline work, now I just have to wait for `pkg-static upgrade -fy` to finish working, but so far it's been working great, scrolling text and whatnot :P

The #HardenedBSD #retpoline experimental package build is looking very promising. :)

#HardenedBSD 12-CURRENT/amd64 experimental package build with #retpoline enabled globally for world, kernel, and the entire ports tree started. Let's see how this goes!

For users on the hardened/current/retpoline branch, #retpoline will be enabled globally for the entire ports tree: https://github.com/HardenedBSD/hardenedbsd-ports/commit/03489b2dcc6b550b9858e01e59fb7ff84f93a4ef

#HardenedBSD #Meltdown #Spectre