- Scan ID:
- 9fde0bff-b360-409a-acd9-f20e874cb803Finished
- Submitted URL:
- https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
- Report Finished:
Links · 2 found
The outgoing links identified from the page
| Link | Text |
|---|---|
| https://www.sphinx-doc.org/ | Sphinx 5.3.0 |
| https://alabaster.readthedocs.io | Alabaster 0.7.16 |
JavaScript Variables · 9 found
Global JavaScript variables loaded on the window object of a page, are variables declared outside of functions and accessible from anywhere in the code within the current scope
| Name | Type |
|---|---|
| onbeforetoggle | string |
| documentPictureInPicture | string |
| onscrollend | string |
| DOCUMENTATION_OPTIONS | string |
| $ | string |
| jQuery | string |
| _ | string |
| $u | string |
| sbar | string |
Console log messages · 1 found
Messages logged to the web console
| Type | Category | Log |
|---|---|---|
| error | network |
|
HTML
The raw HTML body of the page
<!DOCTYPE html><html lang="en"><head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0"><meta name="generator" content="Docutils 0.19: https://docutils.sourceforge.io/">
<title>MDS - Microarchitectural Data Sampling — The Linux Kernel documentation</title>
<link rel="stylesheet" type="text/css" href="../../_static/pygments.css">
<link rel="stylesheet" type="text/css" href="../../_static/alabaster.css">
<script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script>
<script src="../../_static/jquery.js"></script>
<script src="../../_static/underscore.js"></script>
<script src="../../_static/_sphinx_javascript_frameworks_compat.js"></script>
<script src="../../_static/doctools.js"></script>
<script src="../../_static/sphinx_highlight.js"></script>
<link rel="index" title="Index" href="../../genindex.html">
<link rel="search" title="Search" href="../../search.html">
<link rel="next" title="TAA - TSX Asynchronous Abort" href="tsx_async_abort.html">
<link rel="prev" title="L1TF - L1 Terminal Fault" href="l1tf.html">
<link rel="stylesheet" href="../../_static/custom.css" type="text/css">
</head><body>
<div class="document">
<div class="sphinxsidebar" role="navigation" aria-label="main navigation">
<div class="sphinxsidebarwrapper">
<p class="logo"><a href="../../index.html">
<img class="logo" src="../../_static/logo.svg" alt="Logo">
</a></p>
<h1 class="logo"><a href="../../index.html">The Linux Kernel</a></h1>
<p class="blurb">6.11.0</p>
<div id="searchbox" style="display: block;" role="search">
<h3 id="searchlabel">Quick search</h3>
<div class="searchformwrapper">
<form class="search" action="../../search.html" method="get">
<input type="text" name="q" aria-labelledby="searchlabel" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false">
<input type="submit" value="Go">
</form>
</div>
</div>
<script>document.getElementById('searchbox').style.display = "block"</script><!-- SPDX-License-Identifier: GPL-2.0 -->
<p>
</p><h3 class="kernel-toc-contents">Contents</h3>
<input type="checkbox" class="kernel-toc-toggle" id="kernel-toc-toggle" checked="">
<label class="kernel-toc-title" for="kernel-toc-toggle"></label>
<div class="kerneltoc" id="kerneltoc">
<ul>
<li class="toctree-l1"><a class="reference internal" href="../../process/development-process.html">Development process</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../process/submitting-patches.html">Submitting patches</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../process/code-of-conduct.html">Code of conduct</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../maintainer/index.html">Maintainer handbook</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../process/index.html">All development-process docs</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../../core-api/index.html">Core API</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../driver-api/index.html">Driver APIs</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../subsystem-apis.html">Subsystems</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../locking/index.html">Locking</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../../process/license-rules.html">Licensing rules</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../doc-guide/index.html">Writing documentation</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../dev-tools/index.html">Development tools</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../dev-tools/testing-overview.html">Testing guide</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../kernel-hacking/index.html">Hacking guide</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../trace/index.html">Tracing</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../fault-injection/index.html">Fault injection</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../livepatch/index.html">Livepatching</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../rust/index.html">Rust</a></li>
</ul>
<ul class="current">
<li class="toctree-l1 current"><a class="reference internal" href="../index.html">Administration</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="../README.html">Linux kernel release 6.x <http://kernel.org/></a></li>
<li class="toctree-l2"><a class="reference internal" href="../kernel-parameters.html">The kernel’s command-line parameters</a></li>
<li class="toctree-l2"><a class="reference internal" href="../devices.html">Linux allocated devices (4.x+ version)</a></li>
<li class="toctree-l2"><a class="reference internal" href="../sysctl/index.html">Documentation for /proc/sys</a></li>
<li class="toctree-l2"><a class="reference internal" href="../abi.html">Linux ABI description</a></li>
<li class="toctree-l2"><a class="reference internal" href="../features.html">Feature status on all architectures</a></li>
<li class="toctree-l2 current"><a class="reference internal" href="index.html">Hardware vulnerabilities</a><ul class="current">
<li class="toctree-l3"><a class="reference internal" href="spectre.html">Spectre Side Channels</a></li>
<li class="toctree-l3"><a class="reference internal" href="l1tf.html">L1TF - L1 Terminal Fault</a></li>
<li class="toctree-l3 current"><a class="current reference internal" href="#">MDS - Microarchitectural Data Sampling</a></li>
<li class="toctree-l3"><a class="reference internal" href="tsx_async_abort.html">TAA - TSX Asynchronous Abort</a></li>
<li class="toctree-l3"><a class="reference internal" href="multihit.html">iTLB multihit</a></li>
<li class="toctree-l3"><a class="reference internal" href="special-register-buffer-data-sampling.html">SRBDS - Special Register Buffer Data Sampling</a></li>
<li class="toctree-l3"><a class="reference internal" href="core-scheduling.html">Core Scheduling</a></li>
<li class="toctree-l3"><a class="reference internal" href="l1d_flush.html">L1D Flushing</a></li>
<li class="toctree-l3"><a class="reference internal" href="processor_mmio_stale_data.html">Processor MMIO Stale Data Vulnerabilities</a></li>
<li class="toctree-l3"><a class="reference internal" href="cross-thread-rsb.html">Cross-Thread Return Address Predictions</a></li>
<li class="toctree-l3"><a class="reference internal" href="srso.html">Speculative Return Stack Overflow (SRSO)</a></li>
<li class="toctree-l3"><a class="reference internal" href="gather_data_sampling.html">GDS - Gather Data Sampling</a></li>
<li class="toctree-l3"><a class="reference internal" href="reg-file-data-sampling.html">Register File Data Sampling (RFDS)</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../reporting-issues.html">Reporting issues</a></li>
<li class="toctree-l2"><a class="reference internal" href="../reporting-regressions.html">Reporting regressions</a></li>
<li class="toctree-l2"><a class="reference internal" href="../quickly-build-trimmed-linux.html">How to quickly build a trimmed Linux kernel</a></li>
<li class="toctree-l2"><a class="reference internal" href="../verify-bugs-and-bisect-regressions.html">How to verify bugs and bisect regressions</a></li>
<li class="toctree-l2"><a class="reference internal" href="../bug-hunting.html">Bug hunting</a></li>
<li class="toctree-l2"><a class="reference internal" href="../bug-bisect.html">Bisecting a bug</a></li>
<li class="toctree-l2"><a class="reference internal" href="../tainted-kernels.html">Tainted kernels</a></li>
<li class="toctree-l2"><a class="reference internal" href="../ramoops.html">Ramoops oops/panic logger</a></li>
<li class="toctree-l2"><a class="reference internal" href="../dynamic-debug-howto.html">Dynamic debug</a></li>
<li class="toctree-l2"><a class="reference internal" href="../init.html">Explaining the “No working init found.” boot hang message</a></li>
<li class="toctree-l2"><a class="reference internal" href="../kdump/index.html">Documentation for Kdump - The kexec-based Crash Dumping Solution</a></li>
<li class="toctree-l2"><a class="reference internal" href="../perf/index.html">Performance monitor support</a></li>
<li class="toctree-l2"><a class="reference internal" href="../pstore-blk.html">pstore block oops/panic logger</a></li>
<li class="toctree-l2"><a class="reference internal" href="../sysfs-rules.html">Rules on how to access information in sysfs</a></li>
<li class="toctree-l2"><a class="reference internal" href="../workload-tracing.html">Discovering Linux kernel subsystems used by a workload</a></li>
<li class="toctree-l2"><a class="reference internal" href="../acpi/index.html">ACPI Support</a></li>
<li class="toctree-l2"><a class="reference internal" href="../aoe/index.html">ATA over Ethernet (AoE)</a></li>
<li class="toctree-l2"><a class="reference internal" href="../auxdisplay/index.html">Auxiliary Display Support</a></li>
<li class="toctree-l2"><a class="reference internal" href="../bcache.html">A block layer cache (bcache)</a></li>
<li class="toctree-l2"><a class="reference internal" href="../binderfs.html">The Android binderfs Filesystem</a></li>
<li class="toctree-l2"><a class="reference internal" href="../binfmt-misc.html">Kernel Support for miscellaneous Binary Formats (binfmt_misc)</a></li>
<li class="toctree-l2"><a class="reference internal" href="../blockdev/index.html">Block Devices</a></li>
<li class="toctree-l2"><a class="reference internal" href="../bootconfig.html">Boot Configuration</a></li>
<li class="toctree-l2"><a class="reference internal" href="../braille-console.html">Linux Braille Console</a></li>
<li class="toctree-l2"><a class="reference internal" href="../btmrvl.html">btmrvl driver</a></li>
<li class="toctree-l2"><a class="reference internal" href="../cgroup-v1/index.html">Control Groups version 1</a></li>
<li class="toctree-l2"><a class="reference internal" href="../cgroup-v2.html">Control Group v2</a></li>
<li class="toctree-l2"><a class="reference internal" href="../cifs/index.html">CIFS</a></li>
<li class="toctree-l2"><a class="reference internal" href="../clearing-warn-once.html">Clearing WARN_ONCE</a></li>
<li class="toctree-l2"><a class="reference internal" href="../cpu-load.html">CPU load</a></li>
<li class="toctree-l2"><a class="reference internal" href="../cputopology.html">How CPU topology info is exported via sysfs</a></li>
<li class="toctree-l2"><a class="reference internal" href="../dell_rbu.html">Dell Remote BIOS Update driver (dell_rbu)</a></li>
<li class="toctree-l2"><a class="reference internal" href="../device-mapper/index.html">Device Mapper</a></li>
<li class="toctree-l2"><a class="reference internal" href="../edid.html">EDID</a></li>
<li class="toctree-l2"><a class="reference internal" href="../efi-stub.html">The EFI Boot Stub</a></li>
<li class="toctree-l2"><a class="reference internal" href="../ext4.html">ext4 General Information</a></li>
<li class="toctree-l2"><a class="reference internal" href="../filesystem-monitoring.html">File system Monitoring with fanotify</a></li>
<li class="toctree-l2"><a class="reference internal" href="../nfs/index.html">NFS</a></li>
<li class="toctree-l2"><a class="reference internal" href="../gpio/index.html">GPIO</a></li>
<li class="toctree-l2"><a class="reference internal" href="../highuid.html">Notes on the change from 16-bit UIDs to 32-bit UIDs</a></li>
<li class="toctree-l2"><a class="reference internal" href="../hw_random.html">Hardware random number generators</a></li>
<li class="toctree-l2"><a class="reference internal" href="../initrd.html">Using the initial RAM disk (initrd)</a></li>
<li class="toctree-l2"><a class="reference internal" href="../iostats.html">I/O statistics fields</a></li>
<li class="toctree-l2"><a class="reference internal" href="../java.html">Java(tm) Binary Kernel Support for Linux v1.03</a></li>
<li class="toctree-l2"><a class="reference internal" href="../jfs.html">IBM’s Journaled File System (JFS) for Linux</a></li>
<li class="toctree-l2"><a class="reference internal" href="../kernel-per-CPU-kthreads.html">Reducing OS jitter due to per-cpu kthreads</a></li>
<li class="toctree-l2"><a class="reference internal" href="../laptops/index.html">Laptop Drivers</a></li>
<li class="toctree-l2"><a class="reference internal" href="../lcd-panel-cgram.html">Parallel port LCD/Keypad Panel support</a></li>
<li class="toctree-l2"><a class="reference internal" href="../ldm.html">LDM - Logical Disk Manager (Dynamic Disks)</a></li>
<li class="toctree-l2"><a class="reference internal" href="../lockup-watchdogs.html">Softlockup detector and hardlockup detector (aka nmi_watchdog)</a></li>
<li class="toctree-l2"><a class="reference internal" href="../LSM/index.html">Linux Security Module Usage</a></li>
<li class="toctree-l2"><a class="reference internal" href="../md.html">RAID arrays</a></li>
<li class="toctree-l2"><a class="reference internal" href="../media/index.html">Media subsystem admin and user guide</a></li>
<li class="toctree-l2"><a class="reference internal" href="../mm/index.html">Memory Management</a></li>
<li class="toctree-l2"><a class="reference internal" href="../module-signing.html">Kernel module signing facility</a></li>
<li class="toctree-l2"><a class="reference internal" href="../mono.html">Mono(tm) Binary Kernel Support for Linux</a></li>
<li class="toctree-l2"><a class="reference internal" href="../namespaces/index.html">Namespaces</a></li>
<li class="toctree-l2"><a class="reference internal" href="../numastat.html">Numa policy hit/miss statistics</a></li>
<li class="toctree-l2"><a class="reference internal" href="../parport.html">Parport</a></li>
<li class="toctree-l2"><a class="reference internal" href="../perf-security.html">Perf events and tool security</a></li>
<li class="toctree-l2"><a class="reference internal" href="../pm/index.html">Power Management</a></li>
<li class="toctree-l2"><a class="reference internal" href="../pnp.html">Linux Plug and Play Documentation</a></li>
<li class="toctree-l2"><a class="reference internal" href="../rapidio.html">RapidIO Subsystem Guide</a></li>
<li class="toctree-l2"><a class="reference internal" href="../RAS/main.html">Reliability, Availability and Serviceability (RAS)</a></li>
<li class="toctree-l2"><a class="reference internal" href="../RAS/error-decoding.html">Error decoding</a></li>
<li class="toctree-l2"><a class="reference internal" href="../RAS/address-translation.html">Address translation</a></li>
<li class="toctree-l2"><a class="reference internal" href="../rtc.html">Real Time Clock (RTC) Drivers for Linux</a></li>
<li class="toctree-l2"><a class="reference internal" href="../serial-console.html">Linux Serial Console</a></li>
<li class="toctree-l2"><a class="reference internal" href="../svga.html">Video Mode Selection Support 2.13</a></li>
<li class="toctree-l2"><a class="reference internal" href="../syscall-user-dispatch.html">Syscall User Dispatch</a></li>
<li class="toctree-l2"><a class="reference internal" href="../sysrq.html">Linux Magic System Request Key Hacks</a></li>
<li class="toctree-l2"><a class="reference internal" href="../thermal/index.html">Thermal Subsystem</a></li>
<li class="toctree-l2"><a class="reference internal" href="../thunderbolt.html">USB4 and Thunderbolt</a></li>
<li class="toctree-l2"><a class="reference internal" href="../ufs.html">Using UFS</a></li>
<li class="toctree-l2"><a class="reference internal" href="../unicode.html">Unicode support</a></li>
<li class="toctree-l2"><a class="reference internal" href="../vga-softcursor.html">Software cursor for VGA</a></li>
<li class="toctree-l2"><a class="reference internal" href="../video-output.html">Video Output Switcher Control</a></li>
<li class="toctree-l2"><a class="reference internal" href="../xfs.html">The SGI XFS Filesystem</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../kbuild/index.html">Build system</a></li>
<li class="toctree-l1"><a class="reference internal" href="../reporting-issues.html">Reporting issues</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../tools/index.html">Userspace tools</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../userspace-api/index.html">Userspace API</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../../firmware-guide/index.html">Firmware</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../devicetree/index.html">Firmware and Devicetree</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../../arch/index.html">CPU architectures</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../../staging/index.html">Unsorted documentation</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../../translations/index.html">Translations</a></li>
</ul>
</div>
<script type="text/javascript"> <!--
var sbar = document.getElementsByClassName("sphinxsidebar")[0];
let currents = document.getElementsByClassName("current")
if (currents.length) {
sbar.scrollTop = currents[currents.length - 1].offsetTop;
}
--> </script>
<div role="note" aria-label="source link">
<h3>This Page</h3>
<ul class="this-page-menu">
<li><a href="../../_sources/admin-guide/hw-vuln/mds.rst.txt" rel="nofollow">Show Source</a></li>
</ul>
</div>
</div>
</div>
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body" role="main">
<!-- SPDX-License-Identifier: GPL-2.0 -->
<!-- Copyright © 2023, Oracle and/or its affiliates. -->
<section id="mds-microarchitectural-data-sampling">
<h1>MDS - Microarchitectural Data Sampling<a class="headerlink" href="#mds-microarchitectural-data-sampling" title="Permalink to this heading">¶</a></h1>
<p>Microarchitectural Data Sampling is a hardware vulnerability which allows
unprivileged speculative access to data which is available in various CPU
internal buffers.</p>
<section id="affected-processors">
<h2>Affected processors<a class="headerlink" href="#affected-processors" title="Permalink to this heading">¶</a></h2>
<p>This vulnerability affects a wide range of Intel processors. The
vulnerability is not present on:</p>
<blockquote>
<div><ul class="simple">
<li><p>Processors from AMD, Centaur and other non Intel vendors</p></li>
<li><p>Older processor models, where the CPU family is < 6</p></li>
<li><p>Some Atoms (Bonnell, Saltwell, Goldmont, GoldmontPlus)</p></li>
<li><p>Intel processors which have the ARCH_CAP_MDS_NO bit set in the
IA32_ARCH_CAPABILITIES MSR.</p></li>
</ul>
</div></blockquote>
<p>Whether a processor is affected or not can be read out from the MDS
vulnerability file in sysfs. See <a class="reference internal" href="#mds-sys-info"><span class="std std-ref">MDS system information</span></a>.</p>
<p>Not all processors are affected by all variants of MDS, but the mitigation
is identical for all of them so the kernel treats them as a single
vulnerability.</p>
</section>
<section id="related-cves">
<h2>Related CVEs<a class="headerlink" href="#related-cves" title="Permalink to this heading">¶</a></h2>
<p>The following CVE entries are related to the MDS vulnerability:</p>
<blockquote>
<div><table class="docutils align-default">
<tbody>
<tr class="row-odd"><td><p>CVE-2018-12126</p></td>
<td><p>MSBDS</p></td>
<td><p>Microarchitectural Store Buffer Data Sampling</p></td>
</tr>
<tr class="row-even"><td><p>CVE-2018-12130</p></td>
<td><p>MFBDS</p></td>
<td><p>Microarchitectural Fill Buffer Data Sampling</p></td>
</tr>
<tr class="row-odd"><td><p>CVE-2018-12127</p></td>
<td><p>MLPDS</p></td>
<td><p>Microarchitectural Load Port Data Sampling</p></td>
</tr>
<tr class="row-even"><td><p>CVE-2019-11091</p></td>
<td><p>MDSUM</p></td>
<td><p>Microarchitectural Data Sampling Uncacheable Memory</p></td>
</tr>
</tbody>
</table>
</div></blockquote>
</section>
<section id="problem">
<h2>Problem<a class="headerlink" href="#problem" title="Permalink to this heading">¶</a></h2>
<p>When performing store, load, L1 refill operations, processors write data
into temporary microarchitectural structures (buffers). The data in the
buffer can be forwarded to load operations as an optimization.</p>
<p>Under certain conditions, usually a fault/assist caused by a load
operation, data unrelated to the load memory address can be speculatively
forwarded from the buffers. Because the load operation causes a fault or
assist and its result will be discarded, the forwarded data will not cause
incorrect program execution or state changes. But a malicious operation
may be able to forward this speculative data to a disclosure gadget which
allows in turn to infer the value via a cache side channel attack.</p>
<p>Because the buffers are potentially shared between Hyper-Threads cross
Hyper-Thread attacks are possible.</p>
<p>Deeper technical information is available in the MDS specific x86
architecture section: <a class="reference internal" href="../../arch/x86/mds.html#mds"><span class="std std-ref">Documentation/arch/x86/mds.rst</span></a>.</p>
</section>
<section id="attack-scenarios">
<h2>Attack scenarios<a class="headerlink" href="#attack-scenarios" title="Permalink to this heading">¶</a></h2>
<p>Attacks against the MDS vulnerabilities can be mounted from malicious non-
privileged user space applications running on hosts or guest. Malicious
guest OSes can obviously mount attacks as well.</p>
<p>Contrary to other speculation based vulnerabilities the MDS vulnerability
does not allow the attacker to control the memory target address. As a
consequence the attacks are purely sampling based, but as demonstrated with
the TLBleed attack samples can be postprocessed successfully.</p>
<section id="web-browsers">
<h3>Web-Browsers<a class="headerlink" href="#web-browsers" title="Permalink to this heading">¶</a></h3>
<blockquote>
<div><p>It’s unclear whether attacks through Web-Browsers are possible at
all. The exploitation through Java-Script is considered very unlikely,
but other widely used web technologies like Webassembly could possibly be
abused.</p>
</div></blockquote>
</section>
</section>
<section id="mds-system-information">
<span id="mds-sys-info"></span><h2>MDS system information<a class="headerlink" href="#mds-system-information" title="Permalink to this heading">¶</a></h2>
<p>The Linux kernel provides a sysfs interface to enumerate the current MDS
status of the system: whether the system is vulnerable, and which
mitigations are active. The relevant sysfs file is:</p>
<p>/sys/devices/system/cpu/vulnerabilities/mds</p>
<p>The possible values in this file are:</p>
<blockquote>
<div><table class="docutils align-default">
<tbody>
<tr class="row-odd"><td><p>‘Not affected’</p></td>
<td><p>The processor is not vulnerable</p></td>
</tr>
<tr class="row-even"><td><p>‘Vulnerable’</p></td>
<td><p>The processor is vulnerable, but no mitigation enabled</p></td>
</tr>
<tr class="row-odd"><td><p>‘Vulnerable: Clear CPU buffers attempted, no microcode’</p></td>
<td><p>The processor is vulnerable but microcode is not updated. The
mitigation is enabled on a best effort basis.</p>
<p>If the processor is vulnerable but the availability of the microcode
based mitigation mechanism is not advertised via CPUID, the kernel
selects a best effort mitigation mode. This mode invokes the mitigation
instructions without a guarantee that they clear the CPU buffers.</p>
<p>This is done to address virtualization scenarios where the host has the
microcode update applied, but the hypervisor is not yet updated to
expose the CPUID to the guest. If the host has updated microcode the
protection takes effect; otherwise a few CPU cycles are wasted
pointlessly.</p>
</td>
</tr>
<tr class="row-even"><td><p>‘Mitigation: Clear CPU buffers’</p></td>
<td><p>The processor is vulnerable and the CPU buffer clearing mitigation is
enabled.</p></td>
</tr>
</tbody>
</table>
</div></blockquote>
<p>If the processor is vulnerable then the following information is appended
to the above information:</p>
<blockquote>
<div><table class="docutils align-default">
<tbody>
<tr class="row-odd"><td><p>‘SMT vulnerable’</p></td>
<td><p>SMT is enabled</p></td>
</tr>
<tr class="row-even"><td><p>‘SMT mitigated’</p></td>
<td><p>SMT is enabled and mitigated</p></td>
</tr>
<tr class="row-odd"><td><p>‘SMT disabled’</p></td>
<td><p>SMT is disabled</p></td>
</tr>
<tr class="row-even"><td><p>‘SMT Host state unknown’</p></td>
<td><p>Kernel runs in a VM, Host SMT state unknown</p></td>
</tr>
</tbody>
</table>
</div></blockquote>
</section>
<section id="mitigation-mechanism">
<h2>Mitigation mechanism<a class="headerlink" href="#mitigation-mechanism" title="Permalink to this heading">¶</a></h2>
<p>The kernel detects the affected CPUs and the presence of the microcode
which is required.</p>
<p>If a CPU is affected and the microcode is available, then the kernel
enables the mitigation by default. The mitigation can be controlled at boot
time via a kernel command line option. See
<a class="reference internal" href="#mds-mitigation-control-command-line"><span class="std std-ref">Mitigation control on the kernel command line</span></a>.</p>
<section id="cpu-buffer-clearing">
<span id="cpu-buffer-clear"></span><h3>CPU buffer clearing<a class="headerlink" href="#cpu-buffer-clearing" title="Permalink to this heading">¶</a></h3>
<blockquote>
<div><p>The mitigation for MDS clears the affected CPU buffers on return to user
space and when entering a guest.</p>
<p>If SMT is enabled it also clears the buffers on idle entry when the CPU
is only affected by MSBDS and not any other MDS variant, because the
other variants cannot be protected against cross Hyper-Thread attacks.</p>
<p>For CPUs which are only affected by MSBDS the user space, guest and idle
transition mitigations are sufficient and SMT is not affected.</p>
</div></blockquote>
</section>
<section id="virtualization-mitigation">
<span id="virt-mechanism"></span><h3>Virtualization mitigation<a class="headerlink" href="#virtualization-mitigation" title="Permalink to this heading">¶</a></h3>
<blockquote>
<div><p>The protection for host to guest transition depends on the L1TF
vulnerability of the CPU:</p>
<ul>
<li><p>CPU is affected by L1TF:</p>
<p>If the L1D flush mitigation is enabled and up to date microcode is
available, the L1D flush mitigation is automatically protecting the
guest transition.</p>
<p>If the L1D flush mitigation is disabled then the MDS mitigation is
invoked explicit when the host MDS mitigation is enabled.</p>
<p>For details on L1TF and virtualization see:
<a class="reference internal" href="l1tf.html#mitigation-control-kvm"><span class="std std-ref">Documentation/admin-guide/hw-vuln//l1tf.rst</span></a>.</p>
</li>
<li><p>CPU is not affected by L1TF:</p>
<p>CPU buffers are flushed before entering the guest when the host MDS
mitigation is enabled.</p>
</li>
</ul>
<p>The resulting MDS protection matrix for the host to guest transition:</p>
<table class="docutils align-default">
<tbody>
<tr class="row-odd"><td><p>L1TF</p></td>
<td><p>MDS</p></td>
<td><p>VMX-L1FLUSH</p></td>
<td><p>Host MDS</p></td>
<td><p>MDS-State</p></td>
</tr>
<tr class="row-even"><td><p>Don’t care</p></td>
<td><p>No</p></td>
<td><p>Don’t care</p></td>
<td><p>N/A</p></td>
<td><p>Not affected</p></td>
</tr>
<tr class="row-odd"><td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Disabled</p></td>
<td><p>Off</p></td>
<td><p>Vulnerable</p></td>
</tr>
<tr class="row-even"><td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Disabled</p></td>
<td><p>Full</p></td>
<td><p>Mitigated</p></td>
</tr>
<tr class="row-odd"><td><p>Yes</p></td>
<td><p>Yes</p></td>
<td><p>Enabled</p></td>
<td><p>Don’t care</p></td>
<td><p>Mitigated</p></td>
</tr>
<tr class="row-even"><td><p>No</p></td>
<td><p>Yes</p></td>
<td><p>N/A</p></td>
<td><p>Off</p></td>
<td><p>Vulnerable</p></td>
</tr>
<tr class="row-odd"><td><p>No</p></td>
<td><p>Yes</p></td>
<td><p>N/A</p></td>
<td><p>Full</p></td>
<td><p>Mitigated</p></td>
</tr>
</tbody>
</table>
<p>This only covers the host to guest transition, i.e. prevents leakage from
host to guest, but does not protect the guest internally. Guests need to
have their own protections.</p>
</div></blockquote>
</section>
<section id="xeon-phi-specific-considerations">
<span id="xeon-phi"></span><h3>XEON PHI specific considerations<a class="headerlink" href="#xeon-phi-specific-considerations" title="Permalink to this heading">¶</a></h3>
<blockquote>
<div><p>The XEON PHI processor family is affected by MSBDS which can be exploited
cross Hyper-Threads when entering idle states. Some XEON PHI variants allow
to use MWAIT in user space (Ring 3) which opens an potential attack vector
for malicious user space. The exposure can be disabled on the kernel
command line with the ‘ring3mwait=disable’ command line option.</p>
<p>XEON PHI is not affected by the other MDS variants and MSBDS is mitigated
before the CPU enters a idle state. As XEON PHI is not affected by L1TF
either disabling SMT is not required for full protection.</p>
</div></blockquote>
</section>
<section id="smt-control">
<span id="mds-smt-control"></span><h3>SMT control<a class="headerlink" href="#smt-control" title="Permalink to this heading">¶</a></h3>
<blockquote>
<div><p>All MDS variants except MSBDS can be attacked cross Hyper-Threads. That
means on CPUs which are affected by MFBDS or MLPDS it is necessary to
disable SMT for full protection. These are most of the affected CPUs; the
exception is XEON PHI, see <a class="reference internal" href="#xeon-phi"><span class="std std-ref">XEON PHI specific considerations</span></a>.</p>
<p>Disabling SMT can have a significant performance impact, but the impact
depends on the type of workloads.</p>
<p>See the relevant chapter in the L1TF mitigation documentation for details:
<a class="reference internal" href="l1tf.html#smt-control"><span class="std std-ref">Documentation/admin-guide/hw-vuln/l1tf.rst</span></a>.</p>
</div></blockquote>
</section>
</section>
<section id="mitigation-control-on-the-kernel-command-line">
<span id="mds-mitigation-control-command-line"></span><h2>Mitigation control on the kernel command line<a class="headerlink" href="#mitigation-control-on-the-kernel-command-line" title="Permalink to this heading">¶</a></h2>
<p>The kernel command line allows to control the MDS mitigations at boot
time with the option “mds=”. The valid arguments for this option are:</p>
<blockquote>
<div><table class="docutils align-default">
<tbody>
<tr class="row-odd"><td><p>full</p></td>
<td><p>If the CPU is vulnerable, enable all available mitigations
for the MDS vulnerability, CPU buffer clearing on exit to
userspace and when entering a VM. Idle transitions are
protected as well if SMT is enabled.</p>
<p>It does not automatically disable SMT.</p>
</td>
</tr>
<tr class="row-even"><td><p>full,nosmt</p></td>
<td><p>The same as mds=full, with SMT disabled on vulnerable
CPUs. This is the complete mitigation.</p></td>
</tr>
<tr class="row-odd"><td><p>off</p></td>
<td><p>Disables MDS mitigations completely.</p></td>
</tr>
</tbody>
</table>
</div></blockquote>
<p>Not specifying this option is equivalent to “mds=full”. For processors
that are affected by both TAA (TSX Asynchronous Abort) and MDS,
specifying just “mds=off” without an accompanying “tsx_async_abort=off”
will have no effect as the same mitigation is used for both
vulnerabilities.</p>
</section>
<section id="mitigation-selection-guide">
<h2>Mitigation selection guide<a class="headerlink" href="#mitigation-selection-guide" title="Permalink to this heading">¶</a></h2>
<section id="trusted-userspace">
<h3>1. Trusted userspace<a class="headerlink" href="#trusted-userspace" title="Permalink to this heading">¶</a></h3>
<blockquote>
<div><p>If all userspace applications are from a trusted source and do not
execute untrusted code which is supplied externally, then the mitigation
can be disabled.</p>
</div></blockquote>
</section>
<section id="virtualization-with-trusted-guests">
<h3>2. Virtualization with trusted guests<a class="headerlink" href="#virtualization-with-trusted-guests" title="Permalink to this heading">¶</a></h3>
<blockquote>
<div><p>The same considerations as above versus trusted user space apply.</p>
</div></blockquote>
</section>
<section id="virtualization-with-untrusted-guests">
<h3>3. Virtualization with untrusted guests<a class="headerlink" href="#virtualization-with-untrusted-guests" title="Permalink to this heading">¶</a></h3>
<blockquote>
<div><p>The protection depends on the state of the L1TF mitigations.
See <a class="reference internal" href="#virt-mechanism"><span class="std std-ref">Virtualization mitigation</span></a>.</p>
<p>If the MDS mitigation is enabled and SMT is disabled, guest to host and
guest to guest attacks are prevented.</p>
</div></blockquote>
</section>
</section>
<section id="default-mitigations">
<span id="mds-default-mitigations"></span><h2>Default mitigations<a class="headerlink" href="#default-mitigations" title="Permalink to this heading">¶</a></h2>
<blockquote>
<div><p>The kernel default mitigations for vulnerable processors are:</p>
<ul class="simple">
<li><p>Enable CPU buffer clearing</p></li>
</ul>
<p>The kernel does not by default enforce the disabling of SMT, which leaves
SMT systems vulnerable when running untrusted code. The same rationale as
for L1TF applies.
See <a class="reference internal" href="l1tf.html#default-mitigations"><span class="std std-ref">Documentation/admin-guide/hw-vuln//l1tf.rst</span></a>.</p>
</div></blockquote>
</section>
</section>
</div>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="footer">
©The kernel development community.
|
Powered by <a href="https://www.sphinx-doc.org/">Sphinx 5.3.0</a>
& <a href="https://alabaster.readthedocs.io">Alabaster 0.7.16</a>
|
<a href="../../_sources/admin-guide/hw-vuln/mds.rst.txt" rel="nofollow">Page source</a>
</div>
</body></html>