Annotation of wikisrc/security/intel_mds.mdwn, revision 1.1

1.1     ! wiki        1: #NetBSD Security Update for amd64 Port (X86_64) Architecture - 20190514
        !             2: 
        !             3: 
        !             4: ###Description
        !             5: Details and mitigation information about a sub-class of speculative execution
        !             6: side-channel vulnerabilities called Microarchitectural Data Sampling (MDS) affecting
        !             7: hardware starting with select 8th and 9th Generation Intel® CoreTM processors, as
        !             8: well as the 2nd Generation Intel® Xeon® Scalable Processor Family.
        !             9: 
        !            10: Please refer to the Intel Security Advisory 00233 is located at:
        !            11: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html
        !            12: 
        !            13: This update is mitigation for the following CVEs:
        !            14: 
        !            15: ###Common Vulnerabilities and Exposures (CVE) / Common Vulnerability Scoring System (CVSS)
        !            16: * Microarchitectural Load Port Data Sampling (MLPDS) - CVE-2018-12127
        !            17: > CVSS: -6.5 Medium
        !            18: 
        !            19: * Microarchitectural Store Buffer Data Sampling (MSBDS) - CVE-2018-12126
        !            20: > CVSS: -6.5 Medium
        !            21: 
        !            22: * Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVE-2018-12130
        !            23: > CVSS: - 6.5 Medium
        !            24: 
        !            25: * Microarchitectural Uncacheable Data Sampling (MDSUM) – CVE-2019-11091
        !            26: > CVSS: – 3.8 Low
        !            27: 
        !            28: 
        !            29: ##Status of the Fix
        !            30: **NetBSD-7, and all the anterior releases, have no planned fixes.**
        !            31: 
        !            32: [[!table data="""
        !            33: Port           |Vendor/Model   |MDS    |NetBSD-8       |NetBSD-current
        !            34: amd64  |Intel          |Vulnerable     |Fixed [VERW][smtoff]   |Fixed [VERW][smtoff]
        !            35: """]]
        !            36: 
        !            37: 
        !            38: ###Mitigation
        !            39: The mitigation for MDS depends on the Intel CPU model and available microcode
        !            40: or motherboard BIOS revision.
        !            41: 
        !            42: Should a motherboard manufacturer not have a BIOS update with the MDS fix for
        !            43: the affected Intel processors, you may use NetBSD's pkgsrc to fetch the latest
        !            44: microcode distribution from Intel. The package is **sysutils/intel-microcode-netbsd**. 
        !            45: 
        !            46: You may also want to disable SMT/HyperThreading to address certain aspects of
        !            47: the vulnerabilities. Should you not be able to disable SMT/HT in your BIOS, you
        !            48: can put **smtoff=YES** in your */etc/rc.conf* file.
        !            49: 
        !            50: ###Enabling the mitigation
        !            51: 
        !            52: The two following sysctls are now available:
        !            53:        machdep.mds.mitigated = {0/1} user-settable
        !            54:        machdep.mds.method = {string} constructed by the kernel
        !            55: 
        !            56: If the BIOS has the MDS update, then NetBSD will have set machdep.mds.mitigated=1 automatically.  
        !            57: 
        !            58: To manually enable the check, use  sysctl -w machdep.mds.mitigated=1.  NetBSD
        !            59: will then determine if it can apply the available mitigation.  When set to 0, then
        !            60: NetBSD will disable the mitigation.
        !            61: 
        !            62: ######Note: "method" will then show a [VERW] if it is enabled, and (none) if not.

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb