Annotation of wikisrc/security/intel_mds.mdwn, revision 1.6
1.4 maxv 1: [[!meta title="Intel MDS"]]
2:
1.6 ! maxv 3: #NetBSD Security Update for the amd64 port (x86_64 architecture) - 20190514
1.1 wiki 4:
5: ###Description
6: Details and mitigation information about a sub-class of speculative execution
7: side-channel vulnerabilities called Microarchitectural Data Sampling (MDS) affecting
8: hardware starting with select 8th and 9th Generation Intel® CoreTM processors, as
9: well as the 2nd Generation Intel® Xeon® Scalable Processor Family.
10:
1.6 ! maxv 11: Please refer to the Intel Security Advisory 00233 located at:
1.4 maxv 12: [Intel website](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html).
1.1 wiki 13:
14: This update is mitigation for the following CVEs:
15:
16: ###Common Vulnerabilities and Exposures (CVE) / Common Vulnerability Scoring System (CVSS)
1.6 ! maxv 17: * Microarchitectural Load Port Data Sampling (MLPDS), CVE-2018-12127
1.5 maxv 18: > CVSS: 6.5 Medium
1.1 wiki 19:
1.6 ! maxv 20: * Microarchitectural Store Buffer Data Sampling (MSBDS), CVE-2018-12126
1.5 maxv 21: > CVSS: 6.5 Medium
1.1 wiki 22:
1.6 ! maxv 23: * Microarchitectural Fill Buffer Data Sampling (MFBDS), CVE-2018-12130
1.5 maxv 24: > CVSS: 6.5 Medium
1.1 wiki 25:
1.6 ! maxv 26: * Microarchitectural Uncacheable Data Sampling (MDSUM), CVE-2019-11091
1.5 maxv 27: > CVSS: 3.8 Low
1.1 wiki 28:
29: ##Status of the Fix
1.6 ! maxv 30:
! 31: NetBSD-7, and all the anterior releases, have no planned fixes.
1.1 wiki 32:
33: [[!table data="""
1.4 maxv 34: Port |Vendor/Model |MDS |NetBSD-8 |NetBSD-current
35: amd64 |Intel |Vulnerable |Fixed [VERW][smtoff] |Fixed [VERW][smtoff]
1.1 wiki 36: """]]
37:
38: ###Mitigation
1.6 ! maxv 39:
1.1 wiki 40: The mitigation for MDS depends on the Intel CPU model and available microcode
41: or motherboard BIOS revision.
42:
43: Should a motherboard manufacturer not have a BIOS update with the MDS fix for
44: the affected Intel processors, you may use NetBSD's pkgsrc to fetch the latest
45: microcode distribution from Intel. The package is **sysutils/intel-microcode-netbsd**.
46:
47: You may also want to disable SMT/HyperThreading to address certain aspects of
48: the vulnerabilities. Should you not be able to disable SMT/HT in your BIOS, you
49: can put **smtoff=YES** in your */etc/rc.conf* file.
50:
51: ###Enabling the mitigation
52:
53: The two following sysctls are now available:
1.4 maxv 54:
55: [[!template id=programlisting text="""
56: machdep.mds.mitigated = {0/1} user-settable
57: machdep.mds.method = {string} constructed by the kernel
58: """]]
1.1 wiki 59:
60: If the BIOS has the MDS update, then NetBSD will have set machdep.mds.mitigated=1 automatically.
61:
1.4 maxv 62: To manually enable the check, use "sysctl -w machdep.mds.mitigated=1". NetBSD
1.1 wiki 63: will then determine if it can apply the available mitigation. When set to 0, then
64: NetBSD will disable the mitigation.
65:
1.6 ! maxv 66: Note: "method" will then show a "[VERW]" if it is enabled, and "(none)" if not.
CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb