First for most i want to say thanks for making a firewall that is actually stable and customizable . Having used the BSD twins I’m more satisfied with way ipfire in default setup with out add-ons. I seen an article talking about the new intel flaws. CVE-2022-0001 CVE-2022-0002 CVE-2024-2201 How does that effect ipfire ? The 2201 is spectre v2 witch i understand for most part.
From my reading through of the CVE’s my understanding is the following overview simplification.
The 2022 CVE’s are related to an earlier Spectre V2 offshoot vulnerability related to BHI (Branch History Injection) which was mitigated by disabling unprivileged eBPF (extended Berkeley Packet Filter) as eBPF was identified as a method to craft a BHI attack.
Sine then the people who discovered the 2022 CVE vulnerabilities have continued investigating it to see if a native BHI attack could be crafted that didn’t need to use unprivileged eBPF. The 2024 CVE from 3 days ago is the announcement that a native BHI attack can be made and so the BHI vulnerability was not previously 100% mitigated.
The fix for the native BHI attack is in the latest kernel release 2.6.26 and has been merged into the IPFire git next repository by @arne_f and will be in Core Update 186.
https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=31a8214d1651e556f3eac2d8fd19ca9ec5bde724
https://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff;f=config/kernel/kernel.config.x86_64-ipfire
https://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff;f=config/rootfiles/common/x86_64/linux
Some intel cpu’s have hardware mitigation for the BHI attack. So the Auto setting has been defined. If the cpu has hardware mitigation then auto will choose that. If the cpu does not have hardware mitigation then software mitigation will be applied by the kernel.
If my simplified overview has any errors or inconsistencies in it then I am sure that the IPFire kernel expert, @arne_f, will correct me.