How to patch Meltdown and Spectre vulnerabilities on FreeBSD

Step 1 – Find your current FreeBSD version


#freebsd-version11.1-RELEASE-p4


Note down the current version.


Step 2 – Update your vulnerable system via a binary patch

Type the following to fetch, install, and patch Meltdown and Spectre vulnerabilities:


# freebsd-update fetch

then 

# freebsd-update install


Step 3 – Reboot the FreeBSD box

Type the following shutdown command or reboot command

# shutdown -r now

OR

# reboot

Step 4 – Verification for Meltdown vulnerability on FreeBSD

The mitigation is known as Page Table Isolation (PTI). PTI largely separates kernel and user mode page tables, so that even during speculative execution most of the kernel’s data is unmapped and not accessible. A patched kernel will automatically enable PTI on Intel CPUs. The status can be checked by typing the following sysctl command:

sysctl vm.pmap.pti
vm.pmap.pti: 1


Another option is to download the Meltdown attack tools from here as follows:

 

# cd /tmp
# git clone https://github.com/dag-erling/meltdown



Built it:

# cd /tmp/meltdown
# make


The mdcheck tool attempts to determine if your system is vulnerable. The exact method varies from one platform to another. The result is indicated by the exit code: 0 for complete success, 1 for partial success (mostly seen in virtual machines) and 2 for complete failure:

# mdcheck
# echo $?


The mdattack tool performs a Meltdown attack on a designated target specified as a virtual address and a length and prints the result:

# mdattack
Was this answer helpful? 0 Users Found This Useful (0 Votes)