Annotation of wikisrc/security/intel_mds.mdwn, revision 1.2
1.1 wiki 1: #NetBSD Security Update for amd64 Port (X86_64) Architecture - 20190514
2:
3:
4: ###Description
5: Details and mitigation information about a sub-class of speculative execution
6: side-channel vulnerabilities called Microarchitectural Data Sampling (MDS) affecting
7: hardware starting with select 8th and 9th Generation Intel® CoreTM processors, as
8: well as the 2nd Generation Intel® Xeon® Scalable Processor Family.
9:
10: Please refer to the Intel Security Advisory 00233 is located at:
11: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html
12:
13: This update is mitigation for the following CVEs:
14:
15: ###Common Vulnerabilities and Exposures (CVE) / Common Vulnerability Scoring System (CVSS)
16: * Microarchitectural Load Port Data Sampling (MLPDS) - CVE-2018-12127
17: > CVSS: -6.5 Medium
18:
19: * Microarchitectural Store Buffer Data Sampling (MSBDS) - CVE-2018-12126
20: > CVSS: -6.5 Medium
21:
22: * Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVE-2018-12130
23: > CVSS: - 6.5 Medium
24:
25: * Microarchitectural Uncacheable Data Sampling (MDSUM) – CVE-2019-11091
26: > CVSS: – 3.8 Low
27:
28:
29: ##Status of the Fix
30: **NetBSD-7, and all the anterior releases, have no planned fixes.**
31:
32: [[!table data="""
33: Port |Vendor/Model |MDS |NetBSD-8 |NetBSD-current
34: amd64 |Intel |Vulnerable |Fixed [VERW][smtoff] |Fixed [VERW][smtoff]
35: """]]
36:
37:
38: ###Mitigation
39: The mitigation for MDS depends on the Intel CPU model and available microcode
40: or motherboard BIOS revision.
41:
42: Should a motherboard manufacturer not have a BIOS update with the MDS fix for
43: the affected Intel processors, you may use NetBSD's pkgsrc to fetch the latest
44: microcode distribution from Intel. The package is **sysutils/intel-microcode-netbsd**.
45:
46: You may also want to disable SMT/HyperThreading to address certain aspects of
47: the vulnerabilities. Should you not be able to disable SMT/HT in your BIOS, you
48: can put **smtoff=YES** in your */etc/rc.conf* file.
49:
50: ###Enabling the mitigation
51:
52: The two following sysctls are now available:
53: machdep.mds.mitigated = {0/1} user-settable
54: machdep.mds.method = {string} constructed by the kernel
55:
56: If the BIOS has the MDS update, then NetBSD will have set machdep.mds.mitigated=1 automatically.
57:
58: To manually enable the check, use sysctl -w machdep.mds.mitigated=1. NetBSD
59: will then determine if it can apply the available mitigation. When set to 0, then
60: NetBSD will disable the mitigation.
61:
62: ######Note: "method" will then show a [VERW] if it is enabled, and (none) if not.
1.2 ! wiki 63:
! 64:
! 65:
! 66: #NetBSD Security Update for amd64 Port (X86_64) Architecture - 20190514
! 67:
! 68:
! 69: ###Description
! 70: Details and mitigation information about a sub-class of speculative execution
! 71: side-channel vulnerabilities called Microarchitectural Data Sampling (MDS) affecting
! 72: hardware starting with select 8th and 9th Generation Intel® CoreTM processors, as
! 73: well as the 2nd Generation Intel® Xeon® Scalable Processor Family.
! 74:
! 75: Please refer to the Intel Security Advisory 00233 is located at:
! 76: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html
! 77:
! 78: This update is mitigation for the following CVEs:
! 79:
! 80: ###Common Vulnerabilities and Exposures (CVE) / Common Vulnerability Scoring System (CVSS)
! 81: * Microarchitectural Load Port Data Sampling (MLPDS) - CVE-2018-12127
! 82: > CVSS: -6.5 Medium
! 83:
! 84: * Microarchitectural Store Buffer Data Sampling (MSBDS) - CVE-2018-12126
! 85: > CVSS: -6.5 Medium
! 86:
! 87: * Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVE-2018-12130
! 88: > CVSS: - 6.5 Medium
! 89:
! 90: * Microarchitectural Uncacheable Data Sampling (MDSUM) – CVE-2019-11091
! 91: > CVSS: – 3.8 Low
! 92:
! 93:
! 94: ##Status of the Fix
! 95: **NetBSD-7, and all the anterior releases, have no planned fixes.**
! 96:
! 97: [[!table data="""
! 98: Port |Vendor/Model |MDS |NetBSD-8 |NetBSD-current
! 99: amd64 |Intel |Vulnerable |Fixed [VERW][smtoff] |Fixed [VERW][smtoff]
! 100: """]]
! 101:
! 102:
! 103: ###Mitigation
! 104: The mitigation for MDS depends on the Intel CPU model and available microcode
! 105: or motherboard BIOS revision.
! 106:
! 107: Should a motherboard manufacturer not have a BIOS update with the MDS fix for
! 108: the affected Intel processors, you may use NetBSD's pkgsrc to fetch the latest
! 109: microcode distribution from Intel. The package is **sysutils/intel-microcode-netbsd**.
! 110:
! 111: You may also want to disable SMT/HyperThreading to address certain aspects of
! 112: the vulnerabilities. Should you not be able to disable SMT/HT in your BIOS, you
! 113: can put **smtoff=YES** in your */etc/rc.conf* file.
! 114:
! 115: ###Enabling the mitigation
! 116:
! 117: The two following sysctls are now available:
! 118: machdep.mds.mitigated = {0/1} user-settable
! 119: machdep.mds.method = {string} constructed by the kernel
! 120:
! 121: If the BIOS has the MDS update, then NetBSD will have set machdep.mds.mitigated=1 automatically.
! 122:
! 123: To manually enable the check, use sysctl -w machdep.mds.mitigated=1. NetBSD
! 124: will then determine if it can apply the available mitigation. When set to 0, then
! 125: NetBSD will disable the mitigation.
! 126:
! 127: ######Note: "method" will then show a [VERW] if it is enabled, and (none) if not.
CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb
![[BACK]](/icons/back.gif){kind=icon}
Return to intel_mds.mdwn CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [NetBSD Developer Wiki] / wikisrc / security