^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) MDS - Microarchitectural Data Sampling
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) ======================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) Microarchitectural Data Sampling is a hardware vulnerability which allows
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) unprivileged speculative access to data which is available in various CPU
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) internal buffers.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) Affected processors
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) -------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) This vulnerability affects a wide range of Intel processors. The
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) vulnerability is not present on:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) - Processors from AMD, Centaur and other non Intel vendors
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) - Older processor models, where the CPU family is < 6
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) - Some Atoms (Bonnell, Saltwell, Goldmont, GoldmontPlus)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) - Intel processors which have the ARCH_CAP_MDS_NO bit set in the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) IA32_ARCH_CAPABILITIES MSR.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) Whether a processor is affected or not can be read out from the MDS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) vulnerability file in sysfs. See :ref:`mds_sys_info`.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) Not all processors are affected by all variants of MDS, but the mitigation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) is identical for all of them so the kernel treats them as a single
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) vulnerability.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) Related CVEs
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) ------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) The following CVE entries are related to the MDS vulnerability:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) ============== ===== ===================================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) CVE-2018-12126 MSBDS Microarchitectural Store Buffer Data Sampling
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) CVE-2018-12130 MFBDS Microarchitectural Fill Buffer Data Sampling
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) CVE-2018-12127 MLPDS Microarchitectural Load Port Data Sampling
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) CVE-2019-11091 MDSUM Microarchitectural Data Sampling Uncacheable Memory
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) ============== ===== ===================================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) Problem
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) -------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) When performing store, load, L1 refill operations, processors write data
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) into temporary microarchitectural structures (buffers). The data in the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) buffer can be forwarded to load operations as an optimization.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) Under certain conditions, usually a fault/assist caused by a load
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) operation, data unrelated to the load memory address can be speculatively
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) forwarded from the buffers. Because the load operation causes a fault or
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) assist and its result will be discarded, the forwarded data will not cause
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) incorrect program execution or state changes. But a malicious operation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) may be able to forward this speculative data to a disclosure gadget which
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) allows in turn to infer the value via a cache side channel attack.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) Because the buffers are potentially shared between Hyper-Threads cross
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) Hyper-Thread attacks are possible.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) Deeper technical information is available in the MDS specific x86
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) architecture section: :ref:`Documentation/x86/mds.rst <mds>`.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) Attack scenarios
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) ----------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) Attacks against the MDS vulnerabilities can be mounted from malicious non
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) priviledged user space applications running on hosts or guest. Malicious
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) guest OSes can obviously mount attacks as well.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) Contrary to other speculation based vulnerabilities the MDS vulnerability
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) does not allow the attacker to control the memory target address. As a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) consequence the attacks are purely sampling based, but as demonstrated with
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) the TLBleed attack samples can be postprocessed successfully.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) Web-Browsers
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) ^^^^^^^^^^^^
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) It's unclear whether attacks through Web-Browsers are possible at
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) all. The exploitation through Java-Script is considered very unlikely,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) but other widely used web technologies like Webassembly could possibly be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) abused.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) .. _mds_sys_info:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) MDS system information
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) -----------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) The Linux kernel provides a sysfs interface to enumerate the current MDS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) status of the system: whether the system is vulnerable, and which
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) mitigations are active. The relevant sysfs file is:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) /sys/devices/system/cpu/vulnerabilities/mds
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) The possible values in this file are:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98) .. list-table::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) * - 'Not affected'
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) - The processor is not vulnerable
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) * - 'Vulnerable'
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) - The processor is vulnerable, but no mitigation enabled
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) * - 'Vulnerable: Clear CPU buffers attempted, no microcode'
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) - The processor is vulnerable but microcode is not updated.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) The mitigation is enabled on a best effort basis. See :ref:`vmwerv`
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) * - 'Mitigation: Clear CPU buffers'
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) - The processor is vulnerable and the CPU buffer clearing mitigation is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) enabled.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) If the processor is vulnerable then the following information is appended
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) to the above information:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) ======================== ============================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) 'SMT vulnerable' SMT is enabled
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) 'SMT mitigated' SMT is enabled and mitigated
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) 'SMT disabled' SMT is disabled
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) 'SMT Host state unknown' Kernel runs in a VM, Host SMT state unknown
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) ======================== ============================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) .. _vmwerv:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) Best effort mitigation mode
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) ^^^^^^^^^^^^^^^^^^^^^^^^^^^
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) If the processor is vulnerable, but the availability of the microcode based
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) mitigation mechanism is not advertised via CPUID the kernel selects a best
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) effort mitigation mode. This mode invokes the mitigation instructions
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) without a guarantee that they clear the CPU buffers.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) This is done to address virtualization scenarios where the host has the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) microcode update applied, but the hypervisor is not yet updated to expose
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) the CPUID to the guest. If the host has updated microcode the protection
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) takes effect otherwise a few cpu cycles are wasted pointlessly.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) The state in the mds sysfs file reflects this situation accordingly.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) Mitigation mechanism
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) -------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) The kernel detects the affected CPUs and the presence of the microcode
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) which is required.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) If a CPU is affected and the microcode is available, then the kernel
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) enables the mitigation by default. The mitigation can be controlled at boot
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) time via a kernel command line option. See
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) :ref:`mds_mitigation_control_command_line`.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) .. _cpu_buffer_clear:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) CPU buffer clearing
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) ^^^^^^^^^^^^^^^^^^^
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) The mitigation for MDS clears the affected CPU buffers on return to user
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) space and when entering a guest.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) If SMT is enabled it also clears the buffers on idle entry when the CPU
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) is only affected by MSBDS and not any other MDS variant, because the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) other variants cannot be protected against cross Hyper-Thread attacks.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) For CPUs which are only affected by MSBDS the user space, guest and idle
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) transition mitigations are sufficient and SMT is not affected.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) .. _virt_mechanism:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) Virtualization mitigation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) ^^^^^^^^^^^^^^^^^^^^^^^^^
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) The protection for host to guest transition depends on the L1TF
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) vulnerability of the CPU:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) - CPU is affected by L1TF:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) If the L1D flush mitigation is enabled and up to date microcode is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) available, the L1D flush mitigation is automatically protecting the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) guest transition.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) If the L1D flush mitigation is disabled then the MDS mitigation is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) invoked explicit when the host MDS mitigation is enabled.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) For details on L1TF and virtualization see:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) :ref:`Documentation/admin-guide/hw-vuln//l1tf.rst <mitigation_control_kvm>`.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) - CPU is not affected by L1TF:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) CPU buffers are flushed before entering the guest when the host MDS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) mitigation is enabled.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) The resulting MDS protection matrix for the host to guest transition:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193) ============ ===== ============= ============ =================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194) L1TF MDS VMX-L1FLUSH Host MDS MDS-State
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) Don't care No Don't care N/A Not affected
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) Yes Yes Disabled Off Vulnerable
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200) Yes Yes Disabled Full Mitigated
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202) Yes Yes Enabled Don't care Mitigated
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204) No Yes N/A Off Vulnerable
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206) No Yes N/A Full Mitigated
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207) ============ ===== ============= ============ =================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209) This only covers the host to guest transition, i.e. prevents leakage from
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) host to guest, but does not protect the guest internally. Guests need to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211) have their own protections.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) .. _xeon_phi:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) XEON PHI specific considerations
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) The XEON PHI processor family is affected by MSBDS which can be exploited
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219) cross Hyper-Threads when entering idle states. Some XEON PHI variants allow
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) to use MWAIT in user space (Ring 3) which opens an potential attack vector
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) for malicious user space. The exposure can be disabled on the kernel
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222) command line with the 'ring3mwait=disable' command line option.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) XEON PHI is not affected by the other MDS variants and MSBDS is mitigated
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225) before the CPU enters a idle state. As XEON PHI is not affected by L1TF
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) either disabling SMT is not required for full protection.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) .. _mds_smt_control:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) SMT control
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231) ^^^^^^^^^^^
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) All MDS variants except MSBDS can be attacked cross Hyper-Threads. That
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) means on CPUs which are affected by MFBDS or MLPDS it is necessary to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) disable SMT for full protection. These are most of the affected CPUs; the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) exception is XEON PHI, see :ref:`xeon_phi`.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238) Disabling SMT can have a significant performance impact, but the impact
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239) depends on the type of workloads.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241) See the relevant chapter in the L1TF mitigation documentation for details:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) :ref:`Documentation/admin-guide/hw-vuln/l1tf.rst <smt_control>`.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) .. _mds_mitigation_control_command_line:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) Mitigation control on the kernel command line
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248) ---------------------------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250) The kernel command line allows to control the MDS mitigations at boot
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) time with the option "mds=". The valid arguments for this option are:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253) ============ =============================================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254) full If the CPU is vulnerable, enable all available mitigations
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255) for the MDS vulnerability, CPU buffer clearing on exit to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256) userspace and when entering a VM. Idle transitions are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257) protected as well if SMT is enabled.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259) It does not automatically disable SMT.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261) full,nosmt The same as mds=full, with SMT disabled on vulnerable
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262) CPUs. This is the complete mitigation.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264) off Disables MDS mitigations completely.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266) ============ =============================================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268) Not specifying this option is equivalent to "mds=full". For processors
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269) that are affected by both TAA (TSX Asynchronous Abort) and MDS,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270) specifying just "mds=off" without an accompanying "tsx_async_abort=off"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271) will have no effect as the same mitigation is used for both
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272) vulnerabilities.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274) Mitigation selection guide
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275) --------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277) 1. Trusted userspace
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278) ^^^^^^^^^^^^^^^^^^^^
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 279)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 280) If all userspace applications are from a trusted source and do not
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 281) execute untrusted code which is supplied externally, then the mitigation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 282) can be disabled.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 283)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 284)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 285) 2. Virtualization with trusted guests
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 286) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 287)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 288) The same considerations as above versus trusted user space apply.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 289)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 290) 3. Virtualization with untrusted guests
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 291) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 292)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 293) The protection depends on the state of the L1TF mitigations.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 294) See :ref:`virt_mechanism`.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 295)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 296) If the MDS mitigation is enabled and SMT is disabled, guest to host and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 297) guest to guest attacks are prevented.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 298)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 299) .. _mds_default_mitigations:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 300)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 301) Default mitigations
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 302) -------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 303)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 304) The kernel default mitigations for vulnerable processors are:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 305)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 306) - Enable CPU buffer clearing
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 307)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 308) The kernel does not by default enforce the disabling of SMT, which leaves
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 309) SMT systems vulnerable when running untrusted code. The same rationale as
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 310) for L1TF applies.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 311) See :ref:`Documentation/admin-guide/hw-vuln//l1tf.rst <default_mitigations>`.
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags