--- wikisrc/security/intel_mds.mdwn 2019/05/14 17:22:54 1.2 +++ wikisrc/security/intel_mds.mdwn 2019/05/14 18:24:41 1.7 @@ -1,5 +1,6 @@ -#NetBSD Security Update for amd64 Port (X86_64) Architecture - 20190514 +[[!meta title="Intel MDS"]] +#NetBSD Security Update for the amd64 port (x86_64 architecture) - 20190514 ###Description Details and mitigation information about a sub-class of speculative execution @@ -7,35 +8,35 @@ side-channel vulnerabilities called Micr hardware starting with select 8th and 9th Generation Intel® CoreTM processors, as well as the 2nd Generation Intel® Xeon® Scalable Processor Family. -Please refer to the Intel Security Advisory 00233 is located at: -https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html +Please refer to the Intel Security Advisory 00233 located at: +[Intel website](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html). This update is mitigation for the following CVEs: ###Common Vulnerabilities and Exposures (CVE) / Common Vulnerability Scoring System (CVSS) -* Microarchitectural Load Port Data Sampling (MLPDS) - CVE-2018-12127 -> CVSS: -6.5 Medium +* Microarchitectural Load Port Data Sampling (MLPDS), CVE-2018-12127 +> CVSS: 6.5 Medium -* Microarchitectural Store Buffer Data Sampling (MSBDS) - CVE-2018-12126 -> CVSS: -6.5 Medium +* Microarchitectural Store Buffer Data Sampling (MSBDS), CVE-2018-12126 +> CVSS: 6.5 Medium -* Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVE-2018-12130 -> CVSS: - 6.5 Medium - -* Microarchitectural Uncacheable Data Sampling (MDSUM) – CVE-2019-11091 -> CVSS: – 3.8 Low +* Microarchitectural Fill Buffer Data Sampling (MFBDS), CVE-2018-12130 +> CVSS: 6.5 Medium +* Microarchitectural Uncacheable Data Sampling (MDSUM), CVE-2019-11091 +> CVSS: 3.8 Low ##Status of the Fix -**NetBSD-7, and all the anterior releases, have no planned fixes.** + +NetBSD-7, and all the anterior releases, have no planned fixes. [[!table data=""" -Port |Vendor/Model |MDS |NetBSD-8 |NetBSD-current -amd64 |Intel |Vulnerable |Fixed [VERW][smtoff] |Fixed [VERW][smtoff] +Port |Vendor/Model |MDS |NetBSD-8.1 (stable) |NetBSD-current +amd64 |Intel |Vulnerable |Fixed [VERW][smtoff] |Fixed [VERW][smtoff] """]] - ###Mitigation + The mitigation for MDS depends on the Intel CPU model and available microcode or motherboard BIOS revision. @@ -50,78 +51,16 @@ can put **smtoff=YES** in your */etc/rc. ###Enabling the mitigation The two following sysctls are now available: - machdep.mds.mitigated = {0/1} user-settable - machdep.mds.method = {string} constructed by the kernel - -If the BIOS has the MDS update, then NetBSD will have set machdep.mds.mitigated=1 automatically. - -To manually enable the check, use sysctl -w machdep.mds.mitigated=1. NetBSD -will then determine if it can apply the available mitigation. When set to 0, then -NetBSD will disable the mitigation. - -######Note: "method" will then show a [VERW] if it is enabled, and (none) if not. - - - -#NetBSD Security Update for amd64 Port (X86_64) Architecture - 20190514 - - -###Description -Details and mitigation information about a sub-class of speculative execution -side-channel vulnerabilities called Microarchitectural Data Sampling (MDS) affecting -hardware starting with select 8th and 9th Generation Intel® CoreTM processors, as -well as the 2nd Generation Intel® Xeon® Scalable Processor Family. - -Please refer to the Intel Security Advisory 00233 is located at: -https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html - -This update is mitigation for the following CVEs: - -###Common Vulnerabilities and Exposures (CVE) / Common Vulnerability Scoring System (CVSS) -* Microarchitectural Load Port Data Sampling (MLPDS) - CVE-2018-12127 -> CVSS: -6.5 Medium -* Microarchitectural Store Buffer Data Sampling (MSBDS) - CVE-2018-12126 -> CVSS: -6.5 Medium - -* Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVE-2018-12130 -> CVSS: - 6.5 Medium - -* Microarchitectural Uncacheable Data Sampling (MDSUM) – CVE-2019-11091 -> CVSS: – 3.8 Low - - -##Status of the Fix -**NetBSD-7, and all the anterior releases, have no planned fixes.** - -[[!table data=""" -Port |Vendor/Model |MDS |NetBSD-8 |NetBSD-current -amd64 |Intel |Vulnerable |Fixed [VERW][smtoff] |Fixed [VERW][smtoff] +[[!template id=programlisting text=""" +machdep.mds.mitigated = {0/1} user-settable +machdep.mds.method = {string} constructed by the kernel """]] - -###Mitigation -The mitigation for MDS depends on the Intel CPU model and available microcode -or motherboard BIOS revision. - -Should a motherboard manufacturer not have a BIOS update with the MDS fix for -the affected Intel processors, you may use NetBSD's pkgsrc to fetch the latest -microcode distribution from Intel. The package is **sysutils/intel-microcode-netbsd**. - -You may also want to disable SMT/HyperThreading to address certain aspects of -the vulnerabilities. Should you not be able to disable SMT/HT in your BIOS, you -can put **smtoff=YES** in your */etc/rc.conf* file. - -###Enabling the mitigation - -The two following sysctls are now available: - machdep.mds.mitigated = {0/1} user-settable - machdep.mds.method = {string} constructed by the kernel - If the BIOS has the MDS update, then NetBSD will have set machdep.mds.mitigated=1 automatically. -To manually enable the check, use sysctl -w machdep.mds.mitigated=1. NetBSD +To manually enable the check, use "sysctl -w machdep.mds.mitigated=1". NetBSD will then determine if it can apply the available mitigation. When set to 0, then NetBSD will disable the mitigation. -######Note: "method" will then show a [VERW] if it is enabled, and (none) if not. +Note: "method" will then show a "[VERW]" if it is enabled, and "(none)" if not.