kernel - Add MDS mitigation support for Intel side-channel attack
* Add MDS (Microarchitectural Data Sampling) attack mitigation to
the kernel. This is an attack against Intel CPUs made from 2011
to date. The attack is not currently known to work against AMD CPUs.
With an intel microcode update the mitigation can be enabled with
sysctl machdep.mds_mitigation=MD_CLEAR
* Without the intel microcode update, only disabling hyper-threading
gives you any protection. Older architectures might not get
support. If sysctl machdep.mds_support does not show support,
then the currently loaded microcode does not have support for the
feature.
* DragonFlyBSD only supports the MD_CLEAR mode, and it will only
be available with a microcode update from Intel.
Updating the microcode alone does not protect against the attack.
The microcode must be updated AND the mode must be turned on in
DragonFlyBSD to protect against the attack.
This mitigation burns around 250nS of additional latency on kernel->user
transitions (system calls and interrupts primarily). The additional
latency will not be present if the microcode has support but it is disabled
in the kernel, so you should be able to safely update your microcode
even if you do not intend to use the mitigation.
* It is unclear whether the microcode + mitigation completely protects
the machine. The attack is supposedly a sibling hyper-thread
attack and it may be that the only way to completely protect your
machine is to disable hyper-threading entirely. Or buy AMD.
Templated-from: NetBSD
UnifiedSplitRaw
