Update kernel to mitigate new MDS attacks
A very severe collection of Spectre-class hardware security
vulnerabilities have been discovered which allow reading arbitrary
memory. Existing Spectre defenses do not mitigate them. The only
mitigation is to install new microcode updates (which add new behavior
to a CPU instruction) and kernel updates (which use call those
instructions at each context switch). It’s also unfortunately quite
necessary to disable SMT (Hyper-Threading). On updated kernels, this can
be done with mds=full,nosmt
on the kernel command line. Until this is
done, arbitrary memory reads are possible in Tails, potentially even
from the Browser.
A proof-of-concept was also shown specifically for Tails.
See https://cpu.fail/ and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for more information.
Feature Branch: bugfix/16720-linux-4.19.37-nosmt+force-all-tests
Related issues
- Blocks #16209
-
Blocked by #16708 (closed)
Original created by @cypherpunks on 16720 (Redmine)