Intel MDS

NetBSD Security Update for the amd64 port (x86_64 architecture) - 20190514

Description

Details and mitigation information about a sub-class of speculative execution side-channel vulnerabilities called Microarchitectural Data Sampling (MDS) affecting hardware starting with select 8th and 9th Generation Intel® CoreTM processors, as well as the 2nd Generation Intel® Xeon® Scalable Processor Family.

Please refer to the Intel Security Advisory 00233 located at: Intel website.

This update is mitigation for the following CVEs:

Common Vulnerabilities and Exposures (CVE) / Common Vulnerability Scoring System (CVSS)

Microarchitectural Load Port Data Sampling (MLPDS), CVE-2018-12127 CVSS: 6.5 Medium

Microarchitectural Store Buffer Data Sampling (MSBDS), CVE-2018-12126 CVSS: 6.5 Medium

Microarchitectural Fill Buffer Data Sampling (MFBDS), CVE-2018-12130 CVSS: 6.5 Medium

Microarchitectural Uncacheable Data Sampling (MDSUM), CVE-2019-11091 CVSS: 3.8 Low

Status of the Fix

NetBSD-7, and all the anterior releases, have no planned fixes.

Port Vendor/Model MDS NetBSD-8.1 (stable) NetBSD-current amd64 Intel Vulnerable Fixed [VERW][smtoff] Fixed [VERW][smtoff]

Mitigation

The mitigation for MDS depends on the Intel CPU model and available microcode or motherboard BIOS revision.

Should a motherboard manufacturer not have a BIOS update with the MDS fix for the affected Intel processors, you may use NetBSD's pkgsrc to fetch the latest microcode distribution from Intel. The package is sysutils/intel-microcode-netbsd.

You may also want to disable SMT/HyperThreading to address certain aspects of the vulnerabilities. Should you not be able to disable SMT/HT in your BIOS, you can put smtoff=YES in your /etc/rc.conf file.

Enabling the mitigation

The two following sysctls are now available:

machdep.mds.mitigated = {0/1} user-settable machdep.mds.method = {string} constructed by the kernel

If the BIOS has the MDS update, then NetBSD will have set machdep.mds.mitigated=1 automatically.

To manually enable the check, use "sysctl -w machdep.mds.mitigated=1". NetBSD will then determine if it can apply the available mitigation. When set to 0, then NetBSD will disable the mitigation.

Note: "method" will then show a "[VERW]" if it is enabled, and "(none)" if not.