Dear all,

Today ships Meltdown and Spectre V2 mitigation for amd64, the latter only effective with the corresponding microcode update. However, the combating of speculative execution security issues remains an ongoing quest for the unforeseeable future. To avoid surprises HardenedBSD has enabled Meltdown mitigation (PTI) by default even for AMD CPUs who have not yet been found vulnerable. Performance impact is luckily minimal here, although the Spectre V2 mitigation (IBRS) can slow down CPUs with the respective microcode updates in place.

To opt out of one or both features, the following values can now be persistently set under System: Settings: Tunables:

Here are the full patch notes:


Stay safe,
Your OPNsense team