MDS SMT vulnerability on Intel CPU Lenovo thinkpad system

docFarto · 2021-12-21 21:28:56

I am running arch on my Lenovo Thinkpad Yoga 260
CPU: Intel(R) Core(TM) i5-6300U CPU @ 2.40GHz

When examining my journalctl, I saw a warning about vulnerabilities, it directed me to this site https://www.kernel.org/doc/html/latest/ … mmand-line

I installed intel-ucode and updated grub

sudo pacman -S intel-ucode
grub-mkconfig -o /boot/grub/grub.cfg

this got rid of the warning, but when I check
/sys/devices/system/cpu/vulnerabilities/mds
it says

Mitigation: Clear CPU buffers; SMT vulnerable

So I tried adding some kernel parameters to control MDS mitigation as per the website

vim /etc/default/grub
....
GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet mds=full,nosmt"
....
grub-mkconfig -o /boot/grub/grub.cfg

/sys/devices/system/cpu/vulnerabilities/mds now says

Mitigation: Clear CPU buffers; SMT disabled

so I tired

vim /etc/default/grub
....
GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet mds=off"
....
grub-mkconfig -o /boot/grub/grub.cfg

'
and /sys/devices/system/cpu/vulnerabilities/mds now says

Vulnerable; SMT vulnerable

sooo I don't fully understand how this vulnerability works. Or the best way to get rid of this Vulnerability.
It seems like turning off SMT is a good idea, but it might cause performance issues. But it appears CPU buffer clearing mitigation is enabled and my processor is still vulnerable

the website says

"If the processor is vulnerable, but the availability of the microcode based mitigation mechanism is not advertised via CPUID the kernel selects a best effort mitigation mode. This mode invokes the mitigation instructions without a guarantee that they clear the CPU buffers."

What is a CPUID in this context? Is there a way I can specify another mitigation mode to protect my cpu?

Last edited by docFarto (2021-12-21 21:47:46)

Head_on_a_Stick · 2021-12-21 21:57:20

docFarto wrote:

/sys/devices/system/cpu/vulnerabilities/mds now says
Mitigation: Clear CPU buffers; SMT disabled

That output indicates the full mitigation is applied.

Note though that is only a mitigation and so does not provide complete protection. For that you'll need a better processor.

From my AMD system:

archie:~$ cat /sys/devices/system/cpu/vulnerabilities/mds
Not affected
archie:~$

docFarto · 2021-12-21 23:37:58

thanks for the reply and output!

Head_on_a_Stick wrote:
Note though that is only a mitigation and so does not provide complete protection
the webpage seems to imply that there are different mitigation mode
if the processor is vulnerable, but the availability of the microcode based mitigation mechanism is not advertised via CPUID the kernel selects a best effort mitigation mode
Are there ways I could change the mitigation mode specifically to reduce the vulnerability? Or is it something that is being dealt with the best it can be, without using a different processor?

Also is turning off SMT a good idea to protect myself? Am I still vulnerable with it off?
If I am not online and don't have any malicious programs installed, am I safe from this vulnerability?

V1del · 2021-12-22 08:44:27

The only way this can be used is in an intentional malicious way, if you are not online and have a relatively good trust in the application you are running then this vulnerability has absolutely no effect on you, even in the "vulnerable" state.

FWIW these issues are largely a problem for cloud providers where multiple "untrusted" virtual machines with full root access share a single physical device and the possibility exists that someone could try and sniff sensitive information from a VM "not belonging" to them. On your normal physical workstation with no public services access the biggest danger is the browser but as far as I'm aware there have been mitigations against these by both the kernel and the browser vendors that make using them as an attack vector for these specific vulns unfeasible, assuming they are sufficiently up to date.

I'd personally not want to take the perf hit from disabling SMT, but these are ultimately decisions you have to make for yourself if you assume you're under threat of such an attack.

Last edited by V1del (2021-12-22 09:57:31)

docFarto · 2021-12-22 18:19:04

Thank you that makes sense with everything I read. Sometimes its good to have someone spell it out for you.

And yeah after a day of no smt, I do really notice the performance lag even on simple tasks.

Thanks all

Arch Linux

#1 2021-12-21 21:28:56

MDS SMT vulnerability on Intel CPU Lenovo thinkpad system

#2 2021-12-21 21:57:20

Re: MDS SMT vulnerability on Intel CPU Lenovo thinkpad system

#3 2021-12-21 23:37:58

Re: MDS SMT vulnerability on Intel CPU Lenovo thinkpad system

#4 2021-12-22 08:44:27

Re: MDS SMT vulnerability on Intel CPU Lenovo thinkpad system

#5 2021-12-22 18:19:04

Re: MDS SMT vulnerability on Intel CPU Lenovo thinkpad system

Board footer