SOLVED Correct way to mitigate the MDS CPU bug present and SMT on?

[Daisuke]

I created NAS-119450. I see this error in my Dell R720xd Bluefin 22.12.0 dmesg output:

Code:

# dmesg | grep 'data leak'
[    0.434138] MDS CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for more details.
# cat /sys/devices/system/cpu/vulnerabilities/mds
Mitigation: Clear CPU buffers; SMT vulnerable

What's the correct way to apply in Bluefin the change:

Code:

GRUB_CMDLINE_LINUX_DEFAULT="quiet mds=full,nosmt"

I don't see anything relevant into /etc/grub.d. Running on latest BIOS release, I did some research and setting mds=full,nosmt will minimally impact performance. Attacks against the MDS vulnerabilities can be mounted from malicious non priviledged user space applications running on hosts or guest. Malicious guest OSes can obviously mount attacks as well.

intel-microcode is newer than 20190514, so this issue should be already fixed. MDS mitigation should be enabled by default after booting the system with current kernel and intel-microcode packages.

Code:

# dpkg -s intel-microcode
Package: intel-microcode
Status: install ok installed
Priority: standard
Section: non-free/admin
Installed-Size: 5809
Maintainer: Henrique de Moraes Holschuh <hmh@debian.org>
Architecture: amd64
Version: 3.20220510.1~deb11u1
Depends: iucode-tool (>= 1.0)
Recommends: initramfs-tools (>= 0.113~)
Conflicts: microcode.ctl (<< 0.18~0)
Conffiles:
 /etc/default/intel-microcode 6a68a0e6e2d2ef001f1a374ece3c8558
 /etc/kernel/preinst.d/intel-microcode 4324b7d12701909b3a76bb5c6468a571
 /etc/modprobe.d/intel-microcode-blacklist.conf 71327241f6583b34944e638a955aba91
Description: Processor microcode firmware for Intel CPUs
 This package contains updated system processor microcode for
 Intel i686 and Intel X86-64 processors.  Intel releases microcode
 updates to correct processor behavior as documented in the
 respective processor specification updates.
 .
 For AMD processors, please refer to the amd64-microcode package.
Homepage: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files

 

[Daisuke]

The fix for disabling hyper-threading in Scale OS is:

Code:

# cli -c 'system advanced update kernel_extra_options="mds=full,nosmt"'
# dmesg | grep 'data leak'

I ended disabling hyper-threading in my Dell R720xd by setting the Logical Processor setting to Disabled. It achieves the same result. IMO, disabling hyper-threading also ensures consistent applications performance.