1 MDS - Microarchitectural Data Sampling
2 ======================================
3
4 Microarchitectural Data Sampling is a hardware
5 unprivileged speculative access to data which
6 internal buffers.
7
8 Affected processors
9 -------------------
10
11 This vulnerability affects a wide range of Int
12 vulnerability is not present on:
13
14 - Processors from AMD, Centaur and other no
15
16 - Older processor models, where the CPU fam
17
18 - Some Atoms (Bonnell, Saltwell, Goldmont,
19
20 - Intel processors which have the ARCH_CAP_
21 IA32_ARCH_CAPABILITIES MSR.
22
23 Whether a processor is affected or not can be
24 vulnerability file in sysfs. See :ref:`mds_sys
25
26 Not all processors are affected by all variant
27 is identical for all of them so the kernel tre
28 vulnerability.
29
30 Related CVEs
31 ------------
32
33 The following CVE entries are related to the M
34
35 ============== ===== ====================
36 CVE-2018-12126 MSBDS Microarchitectural S
37 CVE-2018-12130 MFBDS Microarchitectural F
38 CVE-2018-12127 MLPDS Microarchitectural L
39 CVE-2019-11091 MDSUM Microarchitectural D
40 ============== ===== ====================
41
42 Problem
43 -------
44
45 When performing store, load, L1 refill operati
46 into temporary microarchitectural structures (
47 buffer can be forwarded to load operations as
48
49 Under certain conditions, usually a fault/assi
50 operation, data unrelated to the load memory a
51 forwarded from the buffers. Because the load o
52 assist and its result will be discarded, the f
53 incorrect program execution or state changes.
54 may be able to forward this speculative data t
55 allows in turn to infer the value via a cache
56
57 Because the buffers are potentially shared bet
58 Hyper-Thread attacks are possible.
59
60 Deeper technical information is available in t
61 architecture section: :ref:`Documentation/arch
62
63
64 Attack scenarios
65 ----------------
66
67 Attacks against the MDS vulnerabilities can be
68 privileged user space applications running on
69 guest OSes can obviously mount attacks as well
70
71 Contrary to other speculation based vulnerabil
72 does not allow the attacker to control the mem
73 consequence the attacks are purely sampling ba
74 the TLBleed attack samples can be postprocesse
75
76 Web-Browsers
77 ^^^^^^^^^^^^
78
79 It's unclear whether attacks through Web-Bro
80 all. The exploitation through Java-Script is
81 but other widely used web technologies like
82 abused.
83
84
85 .. _mds_sys_info:
86
87 MDS system information
88 -----------------------
89
90 The Linux kernel provides a sysfs interface to
91 status of the system: whether the system is vu
92 mitigations are active. The relevant sysfs fil
93
94 /sys/devices/system/cpu/vulnerabilities/mds
95
96 The possible values in this file are:
97
98 .. list-table::
99
100 * - 'Not affected'
101 - The processor is not vulnerable
102 * - 'Vulnerable'
103 - The processor is vulnerable, but no m
104 * - 'Vulnerable: Clear CPU buffers attemp
105 - The processor is vulnerable but micro
106 mitigation is enabled on a best effor
107
108 If the processor is vulnerable but th
109 based mitigation mechanism is not adv
110 selects a best effort mitigation mode
111 instructions without a guarantee that
112
113 This is done to address virtualizatio
114 microcode update applied, but the hyp
115 expose the CPUID to the guest. If the
116 protection takes effect; otherwise a
117 pointlessly.
118 * - 'Mitigation: Clear CPU buffers'
119 - The processor is vulnerable and the C
120 enabled.
121
122 If the processor is vulnerable then the follow
123 to the above information:
124
125 ======================== ================
126 'SMT vulnerable' SMT is enabled
127 'SMT mitigated' SMT is enabled a
128 'SMT disabled' SMT is disabled
129 'SMT Host state unknown' Kernel runs in a
130 ======================== ================
131
132 Mitigation mechanism
133 -------------------------
134
135 The kernel detects the affected CPUs and the p
136 which is required.
137
138 If a CPU is affected and the microcode is avai
139 enables the mitigation by default. The mitigat
140 time via a kernel command line option. See
141 :ref:`mds_mitigation_control_command_line`.
142
143 .. _cpu_buffer_clear:
144
145 CPU buffer clearing
146 ^^^^^^^^^^^^^^^^^^^
147
148 The mitigation for MDS clears the affected C
149 space and when entering a guest.
150
151 If SMT is enabled it also clears the buffers
152 is only affected by MSBDS and not any other
153 other variants cannot be protected against c
154
155 For CPUs which are only affected by MSBDS th
156 transition mitigations are sufficient and SM
157
158 .. _virt_mechanism:
159
160 Virtualization mitigation
161 ^^^^^^^^^^^^^^^^^^^^^^^^^
162
163 The protection for host to guest transition
164 vulnerability of the CPU:
165
166 - CPU is affected by L1TF:
167
168 If the L1D flush mitigation is enabled and
169 available, the L1D flush mitigation is aut
170 guest transition.
171
172 If the L1D flush mitigation is disabled th
173 invoked explicit when the host MDS mitigat
174
175 For details on L1TF and virtualization see
176 :ref:`Documentation/admin-guide/hw-vuln//l
177
178 - CPU is not affected by L1TF:
179
180 CPU buffers are flushed before entering th
181 mitigation is enabled.
182
183 The resulting MDS protection matrix for the
184
185 ============ ===== ============= ===========
186 L1TF MDS VMX-L1FLUSH Host MDS
187
188 Don't care No Don't care N/A
189
190 Yes Yes Disabled Off
191
192 Yes Yes Disabled Full
193
194 Yes Yes Enabled Don't care
195
196 No Yes N/A Off
197
198 No Yes N/A Full
199 ============ ===== ============= ===========
200
201 This only covers the host to guest transitio
202 host to guest, but does not protect the gues
203 have their own protections.
204
205 .. _xeon_phi:
206
207 XEON PHI specific considerations
208 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
209
210 The XEON PHI processor family is affected by
211 cross Hyper-Threads when entering idle state
212 to use MWAIT in user space (Ring 3) which op
213 for malicious user space. The exposure can b
214 command line with the 'ring3mwait=disable' c
215
216 XEON PHI is not affected by the other MDS va
217 before the CPU enters a idle state. As XEON
218 either disabling SMT is not required for ful
219
220 .. _mds_smt_control:
221
222 SMT control
223 ^^^^^^^^^^^
224
225 All MDS variants except MSBDS can be attacke
226 means on CPUs which are affected by MFBDS or
227 disable SMT for full protection. These are m
228 exception is XEON PHI, see :ref:`xeon_phi`.
229
230 Disabling SMT can have a significant perform
231 depends on the type of workloads.
232
233 See the relevant chapter in the L1TF mitigat
234 :ref:`Documentation/admin-guide/hw-vuln/l1tf
235
236
237 .. _mds_mitigation_control_command_line:
238
239 Mitigation control on the kernel command line
240 ---------------------------------------------
241
242 The kernel command line allows to control the
243 time with the option "mds=". The valid argumen
244
245 ============ ==============================
246 full If the CPU is vulnerable, enab
247 for the MDS vulnerability, CPU
248 userspace and when entering a
249 protected as well if SMT is en
250
251 It does not automatically disa
252
253 full,nosmt The same as mds=full, with SMT
254 CPUs. This is the complete mi
255
256 off Disables MDS mitigations compl
257
258 ============ ==============================
259
260 Not specifying this option is equivalent to "m
261 that are affected by both TAA (TSX Asynchronou
262 specifying just "mds=off" without an accompany
263 will have no effect as the same mitigation is
264 vulnerabilities.
265
266 Mitigation selection guide
267 --------------------------
268
269 1. Trusted userspace
270 ^^^^^^^^^^^^^^^^^^^^
271
272 If all userspace applications are from a tr
273 execute untrusted code which is supplied ex
274 can be disabled.
275
276
277 2. Virtualization with trusted guests
278 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
279
280 The same considerations as above versus tru
281
282 3. Virtualization with untrusted guests
283 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
284
285 The protection depends on the state of the
286 See :ref:`virt_mechanism`.
287
288 If the MDS mitigation is enabled and SMT is
289 guest to guest attacks are prevented.
290
291 .. _mds_default_mitigations:
292
293 Default mitigations
294 -------------------
295
296 The kernel default mitigations for vulnerabl
297
298 - Enable CPU buffer clearing
299
300 The kernel does not by default enforce the d
301 SMT systems vulnerable when running untruste
302 for L1TF applies.
303 See :ref:`Documentation/admin-guide/hw-vuln/
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.