Contributed by Cabal on from the syspatch Zen dept.
On OpenBSD, the latest -current
snapshots already have the fixes, and errata patches will go out for the supported releases (7.2 and 7.3) shortly.
In a post to the tech@
list, Theo de Raadt described the situation:
List: openbsd-tech Subject: Zenbleed From: "Theo de Raadt" <deraadt () openbsd ! org> Date: 2023-07-24 16:11:45 Zenbleed errata for 7.2 and 7.3 will come out soon. sysupgrade of the -current snapshot already contains a fix.
I wanted to share some notes on impact: OpenBSD does not use the AVX instructions to the same extent that Linux and Microsoft do, so this is not as important. On Linux, glibc has AVX-based optimizations for simple functions (string and memory copies) which will store secrets into the register file which can be extracted trivially, so the impact on glibc-based systems is HUGE. While working on our fixes, I ran the test programs for quite a while and I never saw anything resembling a 'text' string. However when I ran a browser I saw streams of what was probably graphics-related fragments flowing past. The base system clearly uses AVX very rarely by itself. In summary: in OpenBSD, this isn't a big deal today. However, attacks built upon primitives always get better over time, so I urge everyone to install these workarounds as soon as our errata ship. -- ps. If you use syspatch for these new errata, you must install the bootblocks yourself! syspatch cannot install them for you. So you must run this yourself, before the last reboot: installboot -v sd0 or installboot -v wd0 Our cpu firmware update mechanism uses the bootblocks to load the firmware from disk and provides it to the kernel, so if you don't have new bootblocks you won't be protected.
You read this right: upgrade to the latest snapshot if you are on the -current
track, otherwise watch out for the announcement and run syspatch as soon as the patches are released.
And do remember to include the installboot step to get the patched bootblocks.
(Comments are closed)