Diff for /wikisrc/security/intel_mds.mdwn between versions 1.2 and 1.6

version 1.2, 2019/05/14 17:22:54 version 1.6, 2019/05/14 17:44:03
Line 1 Line 1
 #NetBSD Security Update for amd64 Port (X86_64) Architecture - 20190514  [[!meta title="Intel MDS"]]
   
   #NetBSD Security Update for the amd64 port (x86_64 architecture) - 20190514
   
 ###Description  ###Description
 Details and mitigation information about a sub-class of speculative execution  Details and mitigation information about a sub-class of speculative execution
Line 7  side-channel vulnerabilities called Micr Line 8  side-channel vulnerabilities called Micr
 hardware starting with select 8th and 9th Generation Intel® CoreTM processors, as  hardware starting with select 8th and 9th Generation Intel® CoreTM processors, as
 well as the 2nd Generation Intel® Xeon® Scalable Processor Family.  well as the 2nd Generation Intel® Xeon® Scalable Processor Family.
   
 Please refer to the Intel Security Advisory 00233 is located at:  Please refer to the Intel Security Advisory 00233 located at:
 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html  [Intel website](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html).
   
 This update is mitigation for the following CVEs:  This update is mitigation for the following CVEs:
   
 ###Common Vulnerabilities and Exposures (CVE) / Common Vulnerability Scoring System (CVSS)  ###Common Vulnerabilities and Exposures (CVE) / Common Vulnerability Scoring System (CVSS)
 * Microarchitectural Load Port Data Sampling (MLPDS) - CVE-2018-12127  * Microarchitectural Load Port Data Sampling (MLPDS), CVE-2018-12127
 > CVSS: -6.5 Medium  > CVSS: 6.5 Medium
   
 * Microarchitectural Store Buffer Data Sampling (MSBDS) - CVE-2018-12126  * Microarchitectural Store Buffer Data Sampling (MSBDS), CVE-2018-12126
 > CVSS: -6.5 Medium  > CVSS: 6.5 Medium
   
 * Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVE-2018-12130  * Microarchitectural Fill Buffer Data Sampling (MFBDS), CVE-2018-12130
 > CVSS: - 6.5 Medium  > CVSS: 6.5 Medium
   
 * Microarchitectural Uncacheable Data Sampling (MDSUM) – CVE-2019-11091  
 > CVSS: – 3.8 Low  
   
   * Microarchitectural Uncacheable Data Sampling (MDSUM), CVE-2019-11091
   > CVSS: 3.8 Low
   
 ##Status of the Fix  ##Status of the Fix
 **NetBSD-7, and all the anterior releases, have no planned fixes.**  
   NetBSD-7, and all the anterior releases, have no planned fixes.
   
 [[!table data="""  [[!table data="""
 Port            |Vendor/Model   |MDS    |NetBSD-8       |NetBSD-current  Port            |Vendor/Model   |MDS            |NetBSD-8               |NetBSD-current
 amd64   |Intel          |Vulnerable     |Fixed [VERW][smtoff]   |Fixed [VERW][smtoff]  amd64           |Intel          |Vulnerable     |Fixed [VERW][smtoff]   |Fixed [VERW][smtoff]
 """]]  """]]
   
   
 ###Mitigation  ###Mitigation
   
 The mitigation for MDS depends on the Intel CPU model and available microcode  The mitigation for MDS depends on the Intel CPU model and available microcode
 or motherboard BIOS revision.  or motherboard BIOS revision.
   
Line 50  can put **smtoff=YES** in your */etc/rc. Line 51  can put **smtoff=YES** in your */etc/rc.
 ###Enabling the mitigation  ###Enabling the mitigation
   
 The two following sysctls are now available:  The two following sysctls are now available:
         machdep.mds.mitigated = {0/1} user-settable  
         machdep.mds.method = {string} constructed by the kernel  
   
 If the BIOS has the MDS update, then NetBSD will have set machdep.mds.mitigated=1 automatically.    
   
 To manually enable the check, use  sysctl -w machdep.mds.mitigated=1.  NetBSD  
 will then determine if it can apply the available mitigation.  When set to 0, then  
 NetBSD will disable the mitigation.  
   
 ######Note: "method" will then show a [VERW] if it is enabled, and (none) if not.  
   
   
   
 #NetBSD Security Update for amd64 Port (X86_64) Architecture - 20190514  
   
   
 ###Description  
 Details and mitigation information about a sub-class of speculative execution  
 side-channel vulnerabilities called Microarchitectural Data Sampling (MDS) affecting  
 hardware starting with select 8th and 9th Generation Intel® CoreTM processors, as  
 well as the 2nd Generation Intel® Xeon® Scalable Processor Family.  
   
 Please refer to the Intel Security Advisory 00233 is located at:  
 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html  
   
 This update is mitigation for the following CVEs:  
   
 ###Common Vulnerabilities and Exposures (CVE) / Common Vulnerability Scoring System (CVSS)  
 * Microarchitectural Load Port Data Sampling (MLPDS) - CVE-2018-12127  
 > CVSS: -6.5 Medium  
   
 * Microarchitectural Store Buffer Data Sampling (MSBDS) - CVE-2018-12126  [[!template id=programlisting text="""
 > CVSS: -6.5 Medium  machdep.mds.mitigated = {0/1} user-settable
   machdep.mds.method = {string} constructed by the kernel
 * Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVE-2018-12130  
 > CVSS: - 6.5 Medium  
   
 * Microarchitectural Uncacheable Data Sampling (MDSUM) – CVE-2019-11091  
 > CVSS: – 3.8 Low  
   
   
 ##Status of the Fix  
 **NetBSD-7, and all the anterior releases, have no planned fixes.**  
   
 [[!table data="""  
 Port            |Vendor/Model   |MDS    |NetBSD-8       |NetBSD-current  
 amd64   |Intel          |Vulnerable     |Fixed [VERW][smtoff]   |Fixed [VERW][smtoff]  
 """]]  """]]
   
   
 ###Mitigation  
 The mitigation for MDS depends on the Intel CPU model and available microcode  
 or motherboard BIOS revision.  
   
 Should a motherboard manufacturer not have a BIOS update with the MDS fix for  
 the affected Intel processors, you may use NetBSD's pkgsrc to fetch the latest  
 microcode distribution from Intel. The package is **sysutils/intel-microcode-netbsd**.   
   
 You may also want to disable SMT/HyperThreading to address certain aspects of  
 the vulnerabilities. Should you not be able to disable SMT/HT in your BIOS, you  
 can put **smtoff=YES** in your */etc/rc.conf* file.  
   
 ###Enabling the mitigation  
   
 The two following sysctls are now available:  
         machdep.mds.mitigated = {0/1} user-settable  
         machdep.mds.method = {string} constructed by the kernel  
   
 If the BIOS has the MDS update, then NetBSD will have set machdep.mds.mitigated=1 automatically.    If the BIOS has the MDS update, then NetBSD will have set machdep.mds.mitigated=1 automatically.  
   
 To manually enable the check, use  sysctl -w machdep.mds.mitigated=1.  NetBSD  To manually enable the check, use "sysctl -w machdep.mds.mitigated=1".  NetBSD
 will then determine if it can apply the available mitigation.  When set to 0, then  will then determine if it can apply the available mitigation.  When set to 0, then
 NetBSD will disable the mitigation.  NetBSD will disable the mitigation.
   
 ######Note: "method" will then show a [VERW] if it is enabled, and (none) if not.  Note: "method" will then show a "[VERW]" if it is enabled, and "(none)" if not.

Removed from v.1.2  
changed lines
  Added in v.1.6


CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb