Annotation of wikisrc/security/intel_mds.mdwn, revision 1.2

1.1       wiki        1: #NetBSD Security Update for amd64 Port (X86_64) Architecture - 20190514
                      2: 
                      3: 
                      4: ###Description
                      5: Details and mitigation information about a sub-class of speculative execution
                      6: side-channel vulnerabilities called Microarchitectural Data Sampling (MDS) affecting
                      7: hardware starting with select 8th and 9th Generation Intel® CoreTM processors, as
                      8: well as the 2nd Generation Intel® Xeon® Scalable Processor Family.
                      9: 
                     10: Please refer to the Intel Security Advisory 00233 is located at:
                     11: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html
                     12: 
                     13: This update is mitigation for the following CVEs:
                     14: 
                     15: ###Common Vulnerabilities and Exposures (CVE) / Common Vulnerability Scoring System (CVSS)
                     16: * Microarchitectural Load Port Data Sampling (MLPDS) - CVE-2018-12127
                     17: > CVSS: -6.5 Medium
                     18: 
                     19: * Microarchitectural Store Buffer Data Sampling (MSBDS) - CVE-2018-12126
                     20: > CVSS: -6.5 Medium
                     21: 
                     22: * Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVE-2018-12130
                     23: > CVSS: - 6.5 Medium
                     24: 
                     25: * Microarchitectural Uncacheable Data Sampling (MDSUM) – CVE-2019-11091
                     26: > CVSS: – 3.8 Low
                     27: 
                     28: 
                     29: ##Status of the Fix
                     30: **NetBSD-7, and all the anterior releases, have no planned fixes.**
                     31: 
                     32: [[!table data="""
                     33: Port           |Vendor/Model   |MDS    |NetBSD-8       |NetBSD-current
                     34: amd64  |Intel          |Vulnerable     |Fixed [VERW][smtoff]   |Fixed [VERW][smtoff]
                     35: """]]
                     36: 
                     37: 
                     38: ###Mitigation
                     39: The mitigation for MDS depends on the Intel CPU model and available microcode
                     40: or motherboard BIOS revision.
                     41: 
                     42: Should a motherboard manufacturer not have a BIOS update with the MDS fix for
                     43: the affected Intel processors, you may use NetBSD's pkgsrc to fetch the latest
                     44: microcode distribution from Intel. The package is **sysutils/intel-microcode-netbsd**. 
                     45: 
                     46: You may also want to disable SMT/HyperThreading to address certain aspects of
                     47: the vulnerabilities. Should you not be able to disable SMT/HT in your BIOS, you
                     48: can put **smtoff=YES** in your */etc/rc.conf* file.
                     49: 
                     50: ###Enabling the mitigation
                     51: 
                     52: The two following sysctls are now available:
                     53:        machdep.mds.mitigated = {0/1} user-settable
                     54:        machdep.mds.method = {string} constructed by the kernel
                     55: 
                     56: If the BIOS has the MDS update, then NetBSD will have set machdep.mds.mitigated=1 automatically.  
                     57: 
                     58: To manually enable the check, use  sysctl -w machdep.mds.mitigated=1.  NetBSD
                     59: will then determine if it can apply the available mitigation.  When set to 0, then
                     60: NetBSD will disable the mitigation.
                     61: 
                     62: ######Note: "method" will then show a [VERW] if it is enabled, and (none) if not.
1.2     ! wiki       63: 
        !            64: 
        !            65: 
        !            66: #NetBSD Security Update for amd64 Port (X86_64) Architecture - 20190514
        !            67: 
        !            68: 
        !            69: ###Description
        !            70: Details and mitigation information about a sub-class of speculative execution
        !            71: side-channel vulnerabilities called Microarchitectural Data Sampling (MDS) affecting
        !            72: hardware starting with select 8th and 9th Generation Intel® CoreTM processors, as
        !            73: well as the 2nd Generation Intel® Xeon® Scalable Processor Family.
        !            74: 
        !            75: Please refer to the Intel Security Advisory 00233 is located at:
        !            76: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html
        !            77: 
        !            78: This update is mitigation for the following CVEs:
        !            79: 
        !            80: ###Common Vulnerabilities and Exposures (CVE) / Common Vulnerability Scoring System (CVSS)
        !            81: * Microarchitectural Load Port Data Sampling (MLPDS) - CVE-2018-12127
        !            82: > CVSS: -6.5 Medium
        !            83: 
        !            84: * Microarchitectural Store Buffer Data Sampling (MSBDS) - CVE-2018-12126
        !            85: > CVSS: -6.5 Medium
        !            86: 
        !            87: * Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVE-2018-12130
        !            88: > CVSS: - 6.5 Medium
        !            89: 
        !            90: * Microarchitectural Uncacheable Data Sampling (MDSUM) – CVE-2019-11091
        !            91: > CVSS: – 3.8 Low
        !            92: 
        !            93: 
        !            94: ##Status of the Fix
        !            95: **NetBSD-7, and all the anterior releases, have no planned fixes.**
        !            96: 
        !            97: [[!table data="""
        !            98: Port           |Vendor/Model   |MDS    |NetBSD-8       |NetBSD-current
        !            99: amd64  |Intel          |Vulnerable     |Fixed [VERW][smtoff]   |Fixed [VERW][smtoff]
        !           100: """]]
        !           101: 
        !           102: 
        !           103: ###Mitigation
        !           104: The mitigation for MDS depends on the Intel CPU model and available microcode
        !           105: or motherboard BIOS revision.
        !           106: 
        !           107: Should a motherboard manufacturer not have a BIOS update with the MDS fix for
        !           108: the affected Intel processors, you may use NetBSD's pkgsrc to fetch the latest
        !           109: microcode distribution from Intel. The package is **sysutils/intel-microcode-netbsd**. 
        !           110: 
        !           111: You may also want to disable SMT/HyperThreading to address certain aspects of
        !           112: the vulnerabilities. Should you not be able to disable SMT/HT in your BIOS, you
        !           113: can put **smtoff=YES** in your */etc/rc.conf* file.
        !           114: 
        !           115: ###Enabling the mitigation
        !           116: 
        !           117: The two following sysctls are now available:
        !           118:        machdep.mds.mitigated = {0/1} user-settable
        !           119:        machdep.mds.method = {string} constructed by the kernel
        !           120: 
        !           121: If the BIOS has the MDS update, then NetBSD will have set machdep.mds.mitigated=1 automatically.  
        !           122: 
        !           123: To manually enable the check, use  sysctl -w machdep.mds.mitigated=1.  NetBSD
        !           124: will then determine if it can apply the available mitigation.  When set to 0, then
        !           125: NetBSD will disable the mitigation.
        !           126: 
        !           127: ######Note: "method" will then show a [VERW] if it is enabled, and (none) if not.

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb