So, yes, we the OpenBSD developers are not totally asleep and a handful of
us are working out how to deal with Intel's fuck-up aka the Meltdown
attack. While we have the advantage of less complexity in this area (e.g.,
no 32bit-on-64bit compat), there's still a pile of details to work through
about what has to be *always* in the page tables vs what can/should/must be
hidden.
Do KARL or other features of OpenBSD mitigate this? Not particularly. If
you're running code from multiple trust domains then yeah, you're largely
at risk.
We have received *no* non-public information. I've seen posts elsewhere by
other *BSD people implying that they receive little or no prior warning, so
I have no reason to believe this was specific to OpenBSD and/or our
philosophy. Personally, I do find it....amusing? that public announcements
were moved up after the issue was deduced from development discussions and
commits to a different open source OS project. Aren't we all glad that
this was under embargo and strongly believe in the future value of
embargoes?
Unless something unexpected happens, we'll be applying the workaround to
amd64 first and then working out what to do for i386 and arm* (if still
though to be necessary for arm) after that. No promises on only applying
it to Intel CPUs or knobs to disable it, yet: we'll see how complex that
would make things. As always, our own developer laptops are the first
targets, so we're invested in it working and being usable.
Philip Guenther
guenther@openbsd.org
No comments:
Post a Comment