Diff for /wikisrc/security/intel_mds.mdwn between versions 1.3 and 1.7

version 1.3, 2019/05/14 17:27:04 version 1.7, 2019/05/14 18:24:41
Line 1 Line 1
 #NetBSD Security Update for amd64 Port (X86_64) Architecture - 20190514  [[!meta title="Intel MDS"]]
   
   #NetBSD Security Update for the amd64 port (x86_64 architecture) - 20190514
   
 ###Description  ###Description
 Details and mitigation information about a sub-class of speculative execution  Details and mitigation information about a sub-class of speculative execution
Line 7  side-channel vulnerabilities called Micr Line 8  side-channel vulnerabilities called Micr
 hardware starting with select 8th and 9th Generation Intel® CoreTM processors, as  hardware starting with select 8th and 9th Generation Intel® CoreTM processors, as
 well as the 2nd Generation Intel® Xeon® Scalable Processor Family.  well as the 2nd Generation Intel® Xeon® Scalable Processor Family.
   
 Please refer to the Intel Security Advisory 00233 is located at:  Please refer to the Intel Security Advisory 00233 located at:
 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html  [Intel website](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html).
   
 This update is mitigation for the following CVEs:  This update is mitigation for the following CVEs:
   
 ###Common Vulnerabilities and Exposures (CVE) / Common Vulnerability Scoring System (CVSS)  ###Common Vulnerabilities and Exposures (CVE) / Common Vulnerability Scoring System (CVSS)
 * Microarchitectural Load Port Data Sampling (MLPDS) - CVE-2018-12127  * Microarchitectural Load Port Data Sampling (MLPDS), CVE-2018-12127
 > CVSS: -6.5 Medium  > CVSS: 6.5 Medium
   
 * Microarchitectural Store Buffer Data Sampling (MSBDS) - CVE-2018-12126  * Microarchitectural Store Buffer Data Sampling (MSBDS), CVE-2018-12126
 > CVSS: -6.5 Medium  > CVSS: 6.5 Medium
   
 * Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVE-2018-12130  * Microarchitectural Fill Buffer Data Sampling (MFBDS), CVE-2018-12130
 > CVSS: - 6.5 Medium  > CVSS: 6.5 Medium
   
 * Microarchitectural Uncacheable Data Sampling (MDSUM) – CVE-2019-11091  
 > CVSS: – 3.8 Low  
   
   * Microarchitectural Uncacheable Data Sampling (MDSUM), CVE-2019-11091
   > CVSS: 3.8 Low
   
 ##Status of the Fix  ##Status of the Fix
 **NetBSD-7, and all the anterior releases, have no planned fixes.**  
   NetBSD-7, and all the anterior releases, have no planned fixes.
   
 [[!table data="""  [[!table data="""
 Port            |Vendor/Model   |MDS    |NetBSD-8       |NetBSD-current  Port            |Vendor/Model   |MDS            |NetBSD-8.1 (stable)    |NetBSD-current
 amd64   |Intel          |Vulnerable     |Fixed [VERW][smtoff]   |Fixed [VERW][smtoff]  amd64           |Intel          |Vulnerable     |Fixed [VERW][smtoff]   |Fixed [VERW][smtoff]
 """]]  """]]
   
   
 ###Mitigation  ###Mitigation
   
 The mitigation for MDS depends on the Intel CPU model and available microcode  The mitigation for MDS depends on the Intel CPU model and available microcode
 or motherboard BIOS revision.  or motherboard BIOS revision.
   
Line 50  can put **smtoff=YES** in your */etc/rc. Line 51  can put **smtoff=YES** in your */etc/rc.
 ###Enabling the mitigation  ###Enabling the mitigation
   
 The two following sysctls are now available:  The two following sysctls are now available:
         machdep.mds.mitigated = {0/1} user-settable  
         machdep.mds.method = {string} constructed by the kernel  [[!template id=programlisting text="""
   machdep.mds.mitigated = {0/1} user-settable
   machdep.mds.method = {string} constructed by the kernel
   """]]
   
 If the BIOS has the MDS update, then NetBSD will have set machdep.mds.mitigated=1 automatically.    If the BIOS has the MDS update, then NetBSD will have set machdep.mds.mitigated=1 automatically.  
   
 To manually enable the check, use  sysctl -w machdep.mds.mitigated=1.  NetBSD  To manually enable the check, use "sysctl -w machdep.mds.mitigated=1".  NetBSD
 will then determine if it can apply the available mitigation.  When set to 0, then  will then determine if it can apply the available mitigation.  When set to 0, then
 NetBSD will disable the mitigation.  NetBSD will disable the mitigation.
   
 ######Note: "method" will then show a [VERW] if it is enabled, and (none) if not.  Note: "method" will then show a "[VERW]" if it is enabled, and "(none)" if not.

Removed from v.1.3  
changed lines
  Added in v.1.7


CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb