Contributed by Cabal on from the syspatch Zen dept.
On OpenBSD, the latest -current snapshots already have the fixes, and errata patches will go out for the supported releases (7.2 and 7.3) shortly.
In a post to the tech@ list, Theo de Raadt described the situation:
List: openbsd-tech Subject: Zenbleed From: "Theo de Raadt" <deraadt () openbsd ! org> Date: 2023-07-24 16:11:45 Zenbleed errata for 7.2 and 7.3 will come out soon. sysupgrade of the -current snapshot already contains a fix.
I wanted to share some notes on impact:
OpenBSD does not use the AVX instructions to the same extent that Linux
and Microsoft do, so this is not as important.
On Linux, glibc has AVX-based optimizations for simple functions (string
and memory copies) which will store secrets into the register file which
can be extracted trivially, so the impact on glibc-based systems is
HUGE.
While working on our fixes, I ran the test programs for quite a while
and I never saw anything resembling a 'text' string. However when I ran
a browser I saw streams of what was probably graphics-related fragments
flowing past. The base system clearly uses AVX very rarely by itself.
In summary: in OpenBSD, this isn't a big deal today. However, attacks
built upon primitives always get better over time, so I urge everyone to
install these workarounds as soon as our errata ship.
--
ps. If you use syspatch for these new errata, you must install the
bootblocks yourself! syspatch cannot install them for you. So you must
run this yourself, before the last reboot:
installboot -v sd0
or
installboot -v wd0
Our cpu firmware update mechanism uses the bootblocks to load the firmware
from disk and provides it to the kernel, so if you don't have new bootblocks
you won't be protected.
You read this right: upgrade to the latest snapshot if you are on the -current track, otherwise watch out for the announcement and run syspatch as soon as the patches are released.
And do remember to include the installboot step to get the patched bootblocks.
(Comments are closed)