File:  [NetBSD Developer Wiki] / wikisrc / security / intel_mds.mdwn
Revision 1.5: download - view: text, annotated - select for diffs
Tue May 14 17:38:01 2019 UTC (2 years, 5 months ago) by maxv
Branches: MAIN
CVS tags: HEAD
more style

    1: [[!meta title="Intel MDS"]]
    2: 
    3: #NetBSD Security Update for amd64 Port (X86_64) Architecture - 20190514
    4: 
    5: ###Description
    6: Details and mitigation information about a sub-class of speculative execution
    7: side-channel vulnerabilities called Microarchitectural Data Sampling (MDS) affecting
    8: hardware starting with select 8th and 9th Generation Intel® CoreTM processors, as
    9: well as the 2nd Generation Intel® Xeon® Scalable Processor Family.
   10: 
   11: Please refer to the Intel Security Advisory 00233 is located at:
   12: [Intel website](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html).
   13: 
   14: This update is mitigation for the following CVEs:
   15: 
   16: ###Common Vulnerabilities and Exposures (CVE) / Common Vulnerability Scoring System (CVSS)
   17: * Microarchitectural Load Port Data Sampling (MLPDS) - CVE-2018-12127
   18: > CVSS: 6.5 Medium
   19: 
   20: * Microarchitectural Store Buffer Data Sampling (MSBDS) - CVE-2018-12126
   21: > CVSS: 6.5 Medium
   22: 
   23: * Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVE-2018-12130
   24: > CVSS: 6.5 Medium
   25: 
   26: * Microarchitectural Uncacheable Data Sampling (MDSUM) – CVE-2019-11091
   27: > CVSS: 3.8 Low
   28: 
   29: ##Status of the Fix
   30: **NetBSD-7, and all the anterior releases, have no planned fixes.**
   31: 
   32: [[!table data="""
   33: Port		|Vendor/Model	|MDS		|NetBSD-8		|NetBSD-current
   34: amd64		|Intel		|Vulnerable	|Fixed [VERW][smtoff]	|Fixed [VERW][smtoff]
   35: """]]
   36: 
   37: ###Mitigation
   38: The mitigation for MDS depends on the Intel CPU model and available microcode
   39: or motherboard BIOS revision.
   40: 
   41: Should a motherboard manufacturer not have a BIOS update with the MDS fix for
   42: the affected Intel processors, you may use NetBSD's pkgsrc to fetch the latest
   43: microcode distribution from Intel. The package is **sysutils/intel-microcode-netbsd**. 
   44: 
   45: You may also want to disable SMT/HyperThreading to address certain aspects of
   46: the vulnerabilities. Should you not be able to disable SMT/HT in your BIOS, you
   47: can put **smtoff=YES** in your */etc/rc.conf* file.
   48: 
   49: ###Enabling the mitigation
   50: 
   51: The two following sysctls are now available:
   52: 
   53: [[!template id=programlisting text="""
   54: machdep.mds.mitigated = {0/1} user-settable
   55: machdep.mds.method = {string} constructed by the kernel
   56: """]]
   57: 
   58: If the BIOS has the MDS update, then NetBSD will have set machdep.mds.mitigated=1 automatically.  
   59: 
   60: To manually enable the check, use "sysctl -w machdep.mds.mitigated=1".  NetBSD
   61: will then determine if it can apply the available mitigation.  When set to 0, then
   62: NetBSD will disable the mitigation.
   63: 
   64: ######Note: "method" will then show a [VERW] if it is enabled, and (none) if not.

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb