6

The error message says to check:

See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for more details.

But I'm not 100% sure how to fix it.

I looked in /etc/default/intel-microcode and found this:

# Configuration script for intel-microcode version 3

#
# initramfs helper
#

# Set this to "no" to disable automatic microcode updates on boot;
# Set this to "auto" to use early initramfs mode automatically (default);
# Set this to "early" to always attempt to create an early initramfs;
# IUCODE_TOOL_INITRAMFS=auto

# Set this to "yes" (default) to use "iucode_tool --scan-system" to reduce
# the initramfs size bloat, by detecting which Intel processors are active
# in this system, and installing only their microcodes.
#
# Set this to "no" to either include all microcodes, or only the microcodes
# selected through the use of IUCODE_TOOL_EXTRA_OPTIONS below.
#
# WARNING: including all microcodes will increase initramfs size greatly.
# This can cause boot issues if the initramfs is already large.
# IUCODE_TOOL_SCANCPUS=yes

# Extra options to pass to iucode_tool, useful to forbid or to
# force the inclusion of microcode for specific processor signatures.
# See iucode_tool(8) for details.
#IUCODE_TOOL_EXTRA_OPTIONS=""

which I changed to this:

# Configuration script for intel-microcode version 3

#
# initramfs helper
#

# Set this to "no" to disable automatic microcode updates on boot;
# Set this to "auto" to use early initramfs mode automatically (default);
# Set this to "early" to always attempt to create an early initramfs;
IUCODE_TOOL_INITRAMFS=auto

# Set this to "yes" (default) to use "iucode_tool --scan-system" to reduce
# the initramfs size bloat, by detecting which Intel processors are active
# in this system, and installing only their microcodes.
#
# Set this to "no" to either include all microcodes, or only the microcodes
# selected through the use of IUCODE_TOOL_EXTRA_OPTIONS below.
#
# WARNING: including all microcodes will increase initramfs size greatly.
# This can cause boot issues if the initramfs is already large.
IUCODE_TOOL_SCANCPUS=yes

# Extra options to pass to iucode_tool, useful to forbid or to
# force the inclusion of microcode for specific processor signatures.
# See iucode_tool(8) for details.
#IUCODE_TOOL_EXTRA_OPTIONS=""

Previously, I turned off hyper threading in the BIOS and I also changed the settings in /etc/default/grub to this:

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash maxcpus=6"

As, I have six physical CPUs on my machine.

Tex Morgan
  • 61
  • 1
  • 1
  • 3
  • Status please... – heynnema Jul 15 '20 at 14:14
  • There's no need to enable these options explicitly in `/etc/default/intel-microcode`, if their values are the same as defaults. `/usr/share/initramfs-tools/hooks/intel_microcode` shows that `IUCODE_TOOL_INITRAMFS=auto` and `IUCODE_TOOL_SCANCPUS=yes` will be active if no actions were taken. – whtyger Dec 22 '21 at 09:52

2 Answers2

6

Note: Undo your previous edits to /etc/default/intel-microcode and /etc/default/grub.

Mitigation control on the kernel command line

The kernel command line allows to control the MDS mitigations at boot time with the option “mds=”. The valid arguments for this option are:

full

If the CPU is vulnerable, enable all available mitigations for the MDS vulnerability, CPU buffer clearing on exit to userspace and when entering a VM. Idle transitions are protected as well if SMT is enabled.

It does not automatically disable SMT.

full,nosmt

The same as mds=full, with SMT disabled on vulnerable CPUs. This is the complete mitigation.

off

Disables MDS mitigations completely.

sudo -H gedit /etc/default/grub

Change:

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"

To:

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash mds=full,nosmt"

Save the file and quit gedit.

sudo update-grub

reboot

Note: Understand that you'll take a HUGE performance hit on multi-cpu or multi-core configurations.

Note: If the performance hit is too great, try mds=full instead of mds=full,nosmt.

heynnema
  • 68,647
  • 15
  • 124
  • 180
  • Thank you for getting back to me on this. I'll try it tonight. I've already disabled hyper-threading, which I thought would have resolved this, but didn't until I used my configurations. Is there a way to solve this with hyper-threading enabled or is that just out of the question? – Tex Morgan Jun 19 '20 at 16:17
  • @TexMorgan I don't know how/if hyper-threading effects any of this. I'd re-enable HT, and just try this fix, and see if it solves the problem by itself. – heynnema Jun 19 '20 at 17:58
  • I tried your fix with just full and I'm still getting the issue. I'm going to try it with nosmt to see if that works. I may have to go back to a combination of this and the microcode updates, but time will tell. – Tex Morgan Jun 22 '20 at 15:52
  • @TexMorgan Use `mds=full,nosmt`, no spaces. In recent Ubuntu versions, I think they actually fixed this with either CPU microcode updates, or changes in the kernel. What version Ubuntu are you running? – heynnema Jun 22 '20 at 16:27
  • @heynnema The MDS CPU Bug is still present in the kernel log. Is this this boot option 'full,nosmt' still required with the current intel-microcode version 3.20210608.0ubuntu0.20.04.1 ? – 2IRN Jul 24 '21 at 17:56
  • @2IRN I don't know. "full,nosmt" generally gives you a huge performance hit. – heynnema Jul 24 '21 at 18:21
2

According to Intel's Security Advisor Bulletin in order to mitigate this issue you should update CPU microcode. This vulnerability was fixed by 20190514 update of microcode. You can check the current version of the package which installs microcode in your system with dpkg -s intel-microcode command. If its number is greater, then you're OK.

Also update your BIOS to the most recent version, but this step is vendor-specific. You can check recommendations for several vendors at Intel site here.

Both these steps together should mitigate this vulnerability in some cases. But if the output of dmesg | grep 'data leak' still shows info about 'MDS CPU bug', then it wasn't mitigated fully. You can check by cat /sys/devices/system/cpu/vulnerabilities/mds which components of your system are still affected.
In this case you should consider disabling Hyper-Threads completely. But be aware that this may cause performance penalty, as @heynnema mentioned in his answer.
Read Ubuntu KnowledgeBase Article which describes this vulnerability in details.
So there's no universal answer, it depends on use case. You can mitigate it at the cost of performance or leave it as is (Intel states that "practical exploitation of MDS is a very complex undertaking").

whtyger
  • 5,710
  • 3
  • 32
  • 45