Diff for /wikisrc/security/intel_mds.mdwn between versions 1.2 and 1.3

version 1.2, 2019/05/14 17:22:54 version 1.3, 2019/05/14 17:27:04
Line 60  will then determine if it can apply the  Line 60  will then determine if it can apply the 
 NetBSD will disable the mitigation.  NetBSD will disable the mitigation.
   
 ######Note: "method" will then show a [VERW] if it is enabled, and (none) if not.  ######Note: "method" will then show a [VERW] if it is enabled, and (none) if not.
   
   
   
 #NetBSD Security Update for amd64 Port (X86_64) Architecture - 20190514  
   
   
 ###Description  
 Details and mitigation information about a sub-class of speculative execution  
 side-channel vulnerabilities called Microarchitectural Data Sampling (MDS) affecting  
 hardware starting with select 8th and 9th Generation Intel® CoreTM processors, as  
 well as the 2nd Generation Intel® Xeon® Scalable Processor Family.  
   
 Please refer to the Intel Security Advisory 00233 is located at:  
 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html  
   
 This update is mitigation for the following CVEs:  
   
 ###Common Vulnerabilities and Exposures (CVE) / Common Vulnerability Scoring System (CVSS)  
 * Microarchitectural Load Port Data Sampling (MLPDS) - CVE-2018-12127  
 > CVSS: -6.5 Medium  
   
 * Microarchitectural Store Buffer Data Sampling (MSBDS) - CVE-2018-12126  
 > CVSS: -6.5 Medium  
   
 * Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVE-2018-12130  
 > CVSS: - 6.5 Medium  
   
 * Microarchitectural Uncacheable Data Sampling (MDSUM) – CVE-2019-11091  
 > CVSS: – 3.8 Low  
   
   
 ##Status of the Fix  
 **NetBSD-7, and all the anterior releases, have no planned fixes.**  
   
 [[!table data="""  
 Port            |Vendor/Model   |MDS    |NetBSD-8       |NetBSD-current  
 amd64   |Intel          |Vulnerable     |Fixed [VERW][smtoff]   |Fixed [VERW][smtoff]  
 """]]  
   
   
 ###Mitigation  
 The mitigation for MDS depends on the Intel CPU model and available microcode  
 or motherboard BIOS revision.  
   
 Should a motherboard manufacturer not have a BIOS update with the MDS fix for  
 the affected Intel processors, you may use NetBSD's pkgsrc to fetch the latest  
 microcode distribution from Intel. The package is **sysutils/intel-microcode-netbsd**.   
   
 You may also want to disable SMT/HyperThreading to address certain aspects of  
 the vulnerabilities. Should you not be able to disable SMT/HT in your BIOS, you  
 can put **smtoff=YES** in your */etc/rc.conf* file.  
   
 ###Enabling the mitigation  
   
 The two following sysctls are now available:  
         machdep.mds.mitigated = {0/1} user-settable  
         machdep.mds.method = {string} constructed by the kernel  
   
 If the BIOS has the MDS update, then NetBSD will have set machdep.mds.mitigated=1 automatically.    
   
 To manually enable the check, use  sysctl -w machdep.mds.mitigated=1.  NetBSD  
 will then determine if it can apply the available mitigation.  When set to 0, then  
 NetBSD will disable the mitigation.  
   
 ######Note: "method" will then show a [VERW] if it is enabled, and (none) if not.  

Removed from v.1.2  
changed lines
  Added in v.1.3


CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb