Annotation of wikisrc/security/intel_mds.mdwn, revision 1.4

1.4     ! maxv        1: [[!meta title="Intel MDS"]]
        !             2: 
1.1       wiki        3: #NetBSD Security Update for amd64 Port (X86_64) Architecture - 20190514
                      4: 
                      5: ###Description
                      6: Details and mitigation information about a sub-class of speculative execution
                      7: side-channel vulnerabilities called Microarchitectural Data Sampling (MDS) affecting
                      8: hardware starting with select 8th and 9th Generation Intel® CoreTM processors, as
                      9: well as the 2nd Generation Intel® Xeon® Scalable Processor Family.
                     10: 
                     11: Please refer to the Intel Security Advisory 00233 is located at:
1.4     ! maxv       12: [Intel website](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html).
1.1       wiki       13: 
                     14: This update is mitigation for the following CVEs:
                     15: 
                     16: ###Common Vulnerabilities and Exposures (CVE) / Common Vulnerability Scoring System (CVSS)
                     17: * Microarchitectural Load Port Data Sampling (MLPDS) - CVE-2018-12127
                     18: > CVSS: -6.5 Medium
                     19: 
                     20: * Microarchitectural Store Buffer Data Sampling (MSBDS) - CVE-2018-12126
                     21: > CVSS: -6.5 Medium
                     22: 
                     23: * Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVE-2018-12130
                     24: > CVSS: - 6.5 Medium
                     25: 
                     26: * Microarchitectural Uncacheable Data Sampling (MDSUM) – CVE-2019-11091
                     27: > CVSS: – 3.8 Low
                     28: 
                     29: 
                     30: ##Status of the Fix
                     31: **NetBSD-7, and all the anterior releases, have no planned fixes.**
                     32: 
                     33: [[!table data="""
1.4     ! maxv       34: Port           |Vendor/Model   |MDS            |NetBSD-8               |NetBSD-current
        !            35: amd64          |Intel          |Vulnerable     |Fixed [VERW][smtoff]   |Fixed [VERW][smtoff]
1.1       wiki       36: """]]
                     37: 
                     38: ###Mitigation
                     39: The mitigation for MDS depends on the Intel CPU model and available microcode
                     40: or motherboard BIOS revision.
                     41: 
                     42: Should a motherboard manufacturer not have a BIOS update with the MDS fix for
                     43: the affected Intel processors, you may use NetBSD's pkgsrc to fetch the latest
                     44: microcode distribution from Intel. The package is **sysutils/intel-microcode-netbsd**. 
                     45: 
                     46: You may also want to disable SMT/HyperThreading to address certain aspects of
                     47: the vulnerabilities. Should you not be able to disable SMT/HT in your BIOS, you
                     48: can put **smtoff=YES** in your */etc/rc.conf* file.
                     49: 
                     50: ###Enabling the mitigation
                     51: 
                     52: The two following sysctls are now available:
1.4     ! maxv       53: 
        !            54: [[!template id=programlisting text="""
        !            55: machdep.mds.mitigated = {0/1} user-settable
        !            56: machdep.mds.method = {string} constructed by the kernel
        !            57: """]]
1.1       wiki       58: 
                     59: If the BIOS has the MDS update, then NetBSD will have set machdep.mds.mitigated=1 automatically.  
                     60: 
1.4     ! maxv       61: To manually enable the check, use "sysctl -w machdep.mds.mitigated=1".  NetBSD
1.1       wiki       62: will then determine if it can apply the available mitigation.  When set to 0, then
                     63: NetBSD will disable the mitigation.
                     64: 
                     65: ######Note: "method" will then show a [VERW] if it is enabled, and (none) if not.

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb