File:  [NetBSD Developer Wiki] / wikisrc / security / intel_mds.mdwn
Revision 1.4: download - view: text, annotated - select for diffs
Tue May 14 17:35:13 2019 UTC (2 years, 2 months ago) by maxv
Branches: MAIN
CVS tags: HEAD
style

[[!meta title="Intel MDS"]]

#NetBSD Security Update for amd64 Port (X86_64) Architecture - 20190514

###Description
Details and mitigation information about a sub-class of speculative execution
side-channel vulnerabilities called Microarchitectural Data Sampling (MDS) affecting
hardware starting with select 8th and 9th Generation Intel® CoreTM processors, as
well as the 2nd Generation Intel® Xeon® Scalable Processor Family.

Please refer to the Intel Security Advisory 00233 is located at:
[Intel website](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html).

This update is mitigation for the following CVEs:

###Common Vulnerabilities and Exposures (CVE) / Common Vulnerability Scoring System (CVSS)
* Microarchitectural Load Port Data Sampling (MLPDS) - CVE-2018-12127
> CVSS: -6.5 Medium

* Microarchitectural Store Buffer Data Sampling (MSBDS) - CVE-2018-12126
> CVSS: -6.5 Medium

* Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVE-2018-12130
> CVSS: - 6.5 Medium

* Microarchitectural Uncacheable Data Sampling (MDSUM) – CVE-2019-11091
> CVSS: – 3.8 Low


##Status of the Fix
**NetBSD-7, and all the anterior releases, have no planned fixes.**

[[!table data="""
Port		|Vendor/Model	|MDS		|NetBSD-8		|NetBSD-current
amd64		|Intel		|Vulnerable	|Fixed [VERW][smtoff]	|Fixed [VERW][smtoff]
"""]]

###Mitigation
The mitigation for MDS depends on the Intel CPU model and available microcode
or motherboard BIOS revision.

Should a motherboard manufacturer not have a BIOS update with the MDS fix for
the affected Intel processors, you may use NetBSD's pkgsrc to fetch the latest
microcode distribution from Intel. The package is **sysutils/intel-microcode-netbsd**. 

You may also want to disable SMT/HyperThreading to address certain aspects of
the vulnerabilities. Should you not be able to disable SMT/HT in your BIOS, you
can put **smtoff=YES** in your */etc/rc.conf* file.

###Enabling the mitigation

The two following sysctls are now available:

[[!template id=programlisting text="""
machdep.mds.mitigated = {0/1} user-settable
machdep.mds.method = {string} constructed by the kernel
"""]]

If the BIOS has the MDS update, then NetBSD will have set machdep.mds.mitigated=1 automatically.  

To manually enable the check, use "sysctl -w machdep.mds.mitigated=1".  NetBSD
will then determine if it can apply the available mitigation.  When set to 0, then
NetBSD will disable the mitigation.

######Note: "method" will then show a [VERW] if it is enabled, and (none) if not.

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb