File:  [NetBSD Developer Wiki] / wikisrc / security / intel_mds.mdwn
Revision 1.2: download - view: text, annotated - select for diffs
Tue May 14 17:22:54 2019 UTC (2 years, 5 months ago) by wiki
Branches: MAIN
CVS tags: HEAD
web commit by billc

    1: #NetBSD Security Update for amd64 Port (X86_64) Architecture - 20190514
    2: 
    3: 
    4: ###Description
    5: Details and mitigation information about a sub-class of speculative execution
    6: side-channel vulnerabilities called Microarchitectural Data Sampling (MDS) affecting
    7: hardware starting with select 8th and 9th Generation Intel® CoreTM processors, as
    8: well as the 2nd Generation Intel® Xeon® Scalable Processor Family.
    9: 
   10: Please refer to the Intel Security Advisory 00233 is located at:
   11: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html
   12: 
   13: This update is mitigation for the following CVEs:
   14: 
   15: ###Common Vulnerabilities and Exposures (CVE) / Common Vulnerability Scoring System (CVSS)
   16: * Microarchitectural Load Port Data Sampling (MLPDS) - CVE-2018-12127
   17: > CVSS: -6.5 Medium
   18: 
   19: * Microarchitectural Store Buffer Data Sampling (MSBDS) - CVE-2018-12126
   20: > CVSS: -6.5 Medium
   21: 
   22: * Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVE-2018-12130
   23: > CVSS: - 6.5 Medium
   24: 
   25: * Microarchitectural Uncacheable Data Sampling (MDSUM) – CVE-2019-11091
   26: > CVSS: – 3.8 Low
   27: 
   28: 
   29: ##Status of the Fix
   30: **NetBSD-7, and all the anterior releases, have no planned fixes.**
   31: 
   32: [[!table data="""
   33: Port		|Vendor/Model	|MDS	|NetBSD-8	|NetBSD-current
   34: amd64	|Intel		|Vulnerable	|Fixed [VERW][smtoff]	|Fixed [VERW][smtoff]
   35: """]]
   36: 
   37: 
   38: ###Mitigation
   39: The mitigation for MDS depends on the Intel CPU model and available microcode
   40: or motherboard BIOS revision.
   41: 
   42: Should a motherboard manufacturer not have a BIOS update with the MDS fix for
   43: the affected Intel processors, you may use NetBSD's pkgsrc to fetch the latest
   44: microcode distribution from Intel. The package is **sysutils/intel-microcode-netbsd**. 
   45: 
   46: You may also want to disable SMT/HyperThreading to address certain aspects of
   47: the vulnerabilities. Should you not be able to disable SMT/HT in your BIOS, you
   48: can put **smtoff=YES** in your */etc/rc.conf* file.
   49: 
   50: ###Enabling the mitigation
   51: 
   52: The two following sysctls are now available:
   53: 	machdep.mds.mitigated = {0/1} user-settable
   54: 	machdep.mds.method = {string} constructed by the kernel
   55: 
   56: If the BIOS has the MDS update, then NetBSD will have set machdep.mds.mitigated=1 automatically.  
   57: 
   58: To manually enable the check, use  sysctl -w machdep.mds.mitigated=1.  NetBSD
   59: will then determine if it can apply the available mitigation.  When set to 0, then
   60: NetBSD will disable the mitigation.
   61: 
   62: ######Note: "method" will then show a [VERW] if it is enabled, and (none) if not.
   63: 
   64: 
   65: 
   66: #NetBSD Security Update for amd64 Port (X86_64) Architecture - 20190514
   67: 
   68: 
   69: ###Description
   70: Details and mitigation information about a sub-class of speculative execution
   71: side-channel vulnerabilities called Microarchitectural Data Sampling (MDS) affecting
   72: hardware starting with select 8th and 9th Generation Intel® CoreTM processors, as
   73: well as the 2nd Generation Intel® Xeon® Scalable Processor Family.
   74: 
   75: Please refer to the Intel Security Advisory 00233 is located at:
   76: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html
   77: 
   78: This update is mitigation for the following CVEs:
   79: 
   80: ###Common Vulnerabilities and Exposures (CVE) / Common Vulnerability Scoring System (CVSS)
   81: * Microarchitectural Load Port Data Sampling (MLPDS) - CVE-2018-12127
   82: > CVSS: -6.5 Medium
   83: 
   84: * Microarchitectural Store Buffer Data Sampling (MSBDS) - CVE-2018-12126
   85: > CVSS: -6.5 Medium
   86: 
   87: * Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVE-2018-12130
   88: > CVSS: - 6.5 Medium
   89: 
   90: * Microarchitectural Uncacheable Data Sampling (MDSUM) – CVE-2019-11091
   91: > CVSS: – 3.8 Low
   92: 
   93: 
   94: ##Status of the Fix
   95: **NetBSD-7, and all the anterior releases, have no planned fixes.**
   96: 
   97: [[!table data="""
   98: Port		|Vendor/Model	|MDS	|NetBSD-8	|NetBSD-current
   99: amd64	|Intel		|Vulnerable	|Fixed [VERW][smtoff]	|Fixed [VERW][smtoff]
  100: """]]
  101: 
  102: 
  103: ###Mitigation
  104: The mitigation for MDS depends on the Intel CPU model and available microcode
  105: or motherboard BIOS revision.
  106: 
  107: Should a motherboard manufacturer not have a BIOS update with the MDS fix for
  108: the affected Intel processors, you may use NetBSD's pkgsrc to fetch the latest
  109: microcode distribution from Intel. The package is **sysutils/intel-microcode-netbsd**. 
  110: 
  111: You may also want to disable SMT/HyperThreading to address certain aspects of
  112: the vulnerabilities. Should you not be able to disable SMT/HT in your BIOS, you
  113: can put **smtoff=YES** in your */etc/rc.conf* file.
  114: 
  115: ###Enabling the mitigation
  116: 
  117: The two following sysctls are now available:
  118: 	machdep.mds.mitigated = {0/1} user-settable
  119: 	machdep.mds.method = {string} constructed by the kernel
  120: 
  121: If the BIOS has the MDS update, then NetBSD will have set machdep.mds.mitigated=1 automatically.  
  122: 
  123: To manually enable the check, use  sysctl -w machdep.mds.mitigated=1.  NetBSD
  124: will then determine if it can apply the available mitigation.  When set to 0, then
  125: NetBSD will disable the mitigation.
  126: 
  127: ######Note: "method" will then show a [VERW] if it is enabled, and (none) if not.

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb