git: kernel - Add MDS mitigation support for Intel side-channel attack

Matthew Dillon dillon at crater.dragonflybsd.org
Tue May 14 17:46:41 PDT 2019


commit cd89a7cea54b4c5ddd44aa1e927cf7d7f2efafb0
Author: Matthew Dillon <dillon at apollo.backplane.com>
Date:   Tue May 14 17:33:39 2019 -0700

    kernel - Add MDS mitigation support for Intel side-channel attack
    
    * Add MDS (Microarchitectural Data Sampling) attack mitigation to
      the kernel.  This is an attack against Intel CPUs made from 2011
      to date.  The attack is not currently known to work against AMD CPUs.
    
      With an intel microcode update the mitigation can be enabled with
    
      sysctl machdep.mds_mitigation=MD_CLEAR
    
    * Without the intel microcode update, only disabling hyper-threading
      gives you any protection.  Older architectures might not get
      support.  If sysctl machdep.mds_support does not show support,
      then the currently loaded microcode does not have support for the
      feature.
    
    * DragonFlyBSD only supports the MD_CLEAR mode, and it will only
      be available with a microcode update from Intel.
    
      Updating the microcode alone does not protect against the attack.
      The microcode must be updated AND the mode must be turned on in
      DragonFlyBSD to protect against the attack.
    
      This mitigation burns around 250nS of additional latency on kernel->user
      transitions (system calls and interrupts primarily).  The additional
      latency will not be present if the microcode has support but it is disabled
      in the kernel, so you should be able to safely update your microcode
      even if you do not intend to use the mitigation.
    
    * It is unclear whether the microcode + mitigation completely protects
      the machine.  The attack is supposedly a sibling hyper-thread
      attack and it may be that the only way to completely protect your
      machine is to disable hyper-threading entirely.  Or buy AMD.
    
    Templated-from: NetBSD

Summary of changes:
 sys/cpu/x86_64/include/asmacros.h     |  34 ++-
 sys/cpu/x86_64/include/specialreg.h   |  17 ++
 sys/dev/misc/cpuctl/cpuctl.c          |   4 +-
 sys/platform/pc64/include/pcb.h       |   1 +
 sys/platform/pc64/x86_64/genassym.c   |   1 +
 sys/platform/pc64/x86_64/vm_machdep.c | 407 +++++++++++++++++++++++++++++++++-
 6 files changed, 443 insertions(+), 21 deletions(-)

http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/cd89a7cea54b4c5ddd44aa1e927cf7d7f2efafb0


-- 
DragonFly BSD source repository



More information about the Commits mailing list