r151022/LTS - beta patch for KPTI & Lazy FPU

Published at June 16, 2018.

We now have a beta patch available for r151022 to resolve the CVE-2017-5754 (Meltdown) and CVE-2018-3665 (Lazy FPU) vulnerabilities.

This is a large patch which touches a lot of the low-level code in the kernel and so we would appreciate wider testing by users of the LTS r151022 version before rolling this out through the standard package update process.

To install the patch into a new boot-environment, follow the steps below as root (or prefix each with pfexec or sudo as appropriate for your environment). Note the '*' argument on the second apply-hot-fix command.

# pkg apply-hot-fix https://downloads.omniosce.org/pkg/r151022/pkg-pub-r.p5p
# pkg apply-hot-fix -vr --be-name=r22_kpti_fpu \
    https://downloads.omniosce.org/pkg/r151022/kpti_fpu.p5p '*'
# init 6

… after reboot …

# mdb -ke ::sec
= Meltdown (CVE-2017-5754)
    Status: PROTECTED
            KPTI is enabled
            PCID is in-use
            INVPCID is not supported by this processor
= Lazy FPU (CVE-2018-3665)
    Status: PROTECTED
            System is using eager FPU register restore

To revert, just activate the previous boot environment and reboot. Please report any problems that you encounter; thanks.

All being well, this update will be rolled out to r151022 in the next week or two.