File:  [NetBSD Developer Wiki] / wikisrc / security / intel_mds.mdwn
Revision 1.7: download - view: text, annotated - select for diffs
Tue May 14 18:24:41 2019 UTC (16 months, 1 week ago) by wiki
Branches: MAIN
CVS tags: HEAD
web commit by billc

    1: [[!meta title="Intel MDS"]]
    2: 
    3: #NetBSD Security Update for the amd64 port (x86_64 architecture) - 20190514
    4: 
    5: ###Description
    6: Details and mitigation information about a sub-class of speculative execution
    7: side-channel vulnerabilities called Microarchitectural Data Sampling (MDS) affecting
    8: hardware starting with select 8th and 9th Generation Intel® CoreTM processors, as
    9: well as the 2nd Generation Intel® Xeon® Scalable Processor Family.
   10: 
   11: Please refer to the Intel Security Advisory 00233 located at:
   12: [Intel website](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html).
   13: 
   14: This update is mitigation for the following CVEs:
   15: 
   16: ###Common Vulnerabilities and Exposures (CVE) / Common Vulnerability Scoring System (CVSS)
   17: * Microarchitectural Load Port Data Sampling (MLPDS), CVE-2018-12127
   18: > CVSS: 6.5 Medium
   19: 
   20: * Microarchitectural Store Buffer Data Sampling (MSBDS), CVE-2018-12126
   21: > CVSS: 6.5 Medium
   22: 
   23: * Microarchitectural Fill Buffer Data Sampling (MFBDS), CVE-2018-12130
   24: > CVSS: 6.5 Medium
   25: 
   26: * Microarchitectural Uncacheable Data Sampling (MDSUM), CVE-2019-11091
   27: > CVSS: 3.8 Low
   28: 
   29: ##Status of the Fix
   30: 
   31: NetBSD-7, and all the anterior releases, have no planned fixes.
   32: 
   33: [[!table data="""
   34: Port		|Vendor/Model	|MDS		|NetBSD-8.1 (stable)	|NetBSD-current
   35: amd64		|Intel		|Vulnerable	|Fixed [VERW][smtoff]	|Fixed [VERW][smtoff]
   36: """]]
   37: 
   38: ###Mitigation
   39: 
   40: The mitigation for MDS depends on the Intel CPU model and available microcode
   41: or motherboard BIOS revision.
   42: 
   43: Should a motherboard manufacturer not have a BIOS update with the MDS fix for
   44: the affected Intel processors, you may use NetBSD's pkgsrc to fetch the latest
   45: microcode distribution from Intel. The package is **sysutils/intel-microcode-netbsd**. 
   46: 
   47: You may also want to disable SMT/HyperThreading to address certain aspects of
   48: the vulnerabilities. Should you not be able to disable SMT/HT in your BIOS, you
   49: can put **smtoff=YES** in your */etc/rc.conf* file.
   50: 
   51: ###Enabling the mitigation
   52: 
   53: The two following sysctls are now available:
   54: 
   55: [[!template id=programlisting text="""
   56: machdep.mds.mitigated = {0/1} user-settable
   57: machdep.mds.method = {string} constructed by the kernel
   58: """]]
   59: 
   60: If the BIOS has the MDS update, then NetBSD will have set machdep.mds.mitigated=1 automatically.  
   61: 
   62: To manually enable the check, use "sysctl -w machdep.mds.mitigated=1".  NetBSD
   63: will then determine if it can apply the available mitigation.  When set to 0, then
   64: NetBSD will disable the mitigation.
   65: 
   66: Note: "method" will then show a "[VERW]" if it is enabled, and "(none)" if not.

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb