I have mitigations off on pfSense as Netgate staff themselves as I recall concurred that its a completely unnecessary performance hit.My guess is they include the toggle as it would be necessary when running in a VM and some people are just plain paranoid, even though if someone was able to run code in the first place you're already screwed.Its one reason I don't understand OPNsense being based on hardened BSD. The cynic in me suspects its just so they can claim something over pfSense.
Forgive my ignorance, but how are the mitigation fixes implemented on existing kit, without redesigning the silicon?
Sorry, no I meant to ask how is the mitigation injected into the CPU ? That would perhaps be a clearer term to use.
They mitigated by sacrificing performance, a lot of the vulnerabilities are linked in some way to branch prediction performance enhancing features, so I think they disable those features (partially) to mitigate. Spectre I think never got fully mitigated as the performance hit would just be way too much, instead the patches just restrict it on kernel code which is deemed the most risky.
On a personal note, the most interesting part here is that I did therelease (and am writing this) on an arm64 laptop. It's something I'vebeen waiting for for a _loong_ time, and it's finally reality, thanksto the Asahi team. We've had arm64 hardware around running Linux for along time, but none of it has really been usable as a developmentplatform until now.