172 lines
6.6 KiB
Text
172 lines
6.6 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-19:26.mcu Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: Intel CPU Microcode Update
|
|
|
|
Category: 3rd party
|
|
Module: Intel CPU microcode
|
|
Announced: 2019-11-12
|
|
Credits: Intel
|
|
Affects: All supported versions of FreeBSD running on certain
|
|
Intel CPUs.
|
|
CVE Name: CVE-2019-11135, CVE-2019-11139, CVE-2018-12126,
|
|
CVE-2018-12127, CVE-2018-12130, CVE-2018-11091,
|
|
CVE-2017-5715
|
|
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
- From time to time Intel releases new CPU microcode to address functional
|
|
issues and security vulnerabilities. Such a release is also known as a
|
|
Micro Code Update (MCU), and is a component of a broader Intel Platform
|
|
Update (IPU). FreeBSD distributes CPU microcode via the devcpu-data port
|
|
and package.
|
|
|
|
II. Problem Description
|
|
|
|
Starting with version 1.26, the devcpu-data port/package includes updates and
|
|
mitigations for the following technical and security advisories (depending
|
|
on CPU model).
|
|
|
|
Intel TSX Updates (TAA) CVE-2019-11135
|
|
Voltage Modulation Vulnerability CVE-2019-11139
|
|
MD_CLEAR Operations CVE-2018-12126
|
|
CVE-2018-12127
|
|
CVE-2018-12130
|
|
CVE-2018-11091
|
|
TA Indirect Sharing CVE-2017-5715
|
|
EGETKEY CVE-2018-12126
|
|
CVE-2018-12127
|
|
CVE-2018-12130
|
|
CVE-2018-11091
|
|
JCC SKX102 Erratum
|
|
|
|
Updated microcode includes mitigations for CPU issues, but may also cause a
|
|
performance regression due to the JCC erratum mitigation. Please visit
|
|
http://www.intel.com/benchmarks for further information.
|
|
|
|
Please visit http://www.intel.com/security for detailed information on
|
|
these advisories as well as a list of CPUs that are affected.
|
|
|
|
III. Impact
|
|
|
|
Operating a CPU without the latest microcode may result in erratic or
|
|
unpredictable behavior, including system crashes and lock ups. Certain
|
|
issues listed in this advisory may result in the leakage of privileged
|
|
system information to unprivileged users. Please refer to the security
|
|
advisories listed above for detailed information.
|
|
|
|
IV. Workaround
|
|
|
|
To determine if TSX is present in your system, run the following:
|
|
|
|
1. kldload cpuctl
|
|
|
|
2. cpucontrol -i 7 /dev/cpuctl0
|
|
|
|
If bits 4 (0x10) and 11 (0x800) are set in the second response word (EBX),
|
|
TSX is present.
|
|
|
|
In the absence of updated microcode, TAA can be mitigated by enabling the
|
|
MDS mitigation:
|
|
|
|
3. sysctl hw.mds_disable=1
|
|
|
|
Systems must be running FreeBSD 11.3, FreeBSD 12.1, or later for this to
|
|
work.
|
|
|
|
*IMPORTANT*
|
|
If your use case can tolerate leaving the CPU issues unmitigated and cannot
|
|
tolerate a performance regression, ensure that the devcpu-data package is
|
|
not installed or is locked at 1.25 or earlier.
|
|
|
|
# pkg delete devcpu-data
|
|
|
|
or
|
|
|
|
# pkg lock devcpu-data
|
|
|
|
Later versions of the LLVM and GCC compilers will include changes that
|
|
partially relieve the peformance impact.
|
|
|
|
V. Solution
|
|
|
|
Install the latest Intel Microcode Update via the devcpu-data port/package,
|
|
version 1.26 or later.
|
|
|
|
Updated microcode adds the ability to disable TSX. With updated microcode
|
|
the issue can still be mitigated by enabling the MDS mitigation as
|
|
described in the workaround section, or by disabling TSX instead:
|
|
|
|
1. kldload cpuctl
|
|
|
|
2. cpucontrol -i 7 /dev/cpuctl0
|
|
|
|
If bit 29 (0x20000000) is set in the fourth response word (EDX), then the
|
|
0x10a MSR is present.
|
|
|
|
3. cpucontrol -m 0x10a /dev/cpuctl0
|
|
|
|
If bit 8 (0x100) of the response word is set, your CPU is not vulnerable to
|
|
TAA and no further action is required.
|
|
|
|
If bit 7 (0x80) is cleared, then your CPU does not have updated microcode
|
|
that facilitates TSX to be disabled. The only remedy available is to
|
|
enable the MDS mitigation, as documented above.
|
|
|
|
4. cpucontrol -m 0x122=3 /dev/cpuctl0
|
|
|
|
Repeat step 4 for each numbered CPU that is present.
|
|
|
|
A future kernel change to FreeBSD will provide automatic detection and
|
|
mitigation for TAA.
|
|
|
|
LLVM 9.0 will be updated in FreeBSD 13-current to address the JCC
|
|
peformance impact. Updates to prior versions of LLVM are currently being
|
|
evaluated.
|
|
|
|
VI. Correction details
|
|
|
|
There are currently no changes in FreeBSD to address this issue.
|
|
|
|
VII. References
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135>
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11139>
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12126>
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12127>
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12130>
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11091>
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715>
|
|
<URL:https://blogs.intel.com/technology/2019/11/ipas-november-2019-intel-platform-update-ipu/>
|
|
<URL:https://software.intel.com/security-software-guidance/software-guidance/intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort>
|
|
<URL:https://www.intel.com/content/www/us/en/support/articles/000055650.html>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:26.mcu.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl3LArVfFIAAAAAALgAo
|
|
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
|
|
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
|
|
5cJGQQ//ad41YWDAdgBMTWiF56qeySqElIOHt/mLt06s2WW9ceUoJpKW8rKwA4hi
|
|
sjuDlj4vg8ohdiFaZhTxX/smQi3BS+M0xi40fFFgMRR7HuVh11l6bPr+DoUH/Zi+
|
|
E5aiAilOlv/WUAxIrdx0ZlHPkjZ9vfSIPbiqmIkdlFEl4QCuusMRqXKNxaIzzk/K
|
|
rzabCN4NsQPk0SYIZ9l+tZ6JxOOeRaYn+aCjzlbkiYR+wttIaH9nTECx2Rj7XvSw
|
|
9Ng/Mq0M6QsTV/jKfQDRMxRnNfnzF7865uBQYxZNFY9VP5Z21CcqMT54ia5NgcG8
|
|
8Bn2fnM3HcK5LUW3DRnsLhAi6XX0EuX5VMdYvx20aQUj/k8f6a0cPmtSqUVkpU/K
|
|
ZcmLd4X+YS/o3UZnRY9OZOEb+kmZE/Yr8f/hR8tmle6FCPS1YLtkwDn3qg/oQA03
|
|
B5rLmzc+x32XZC0dn/HRZTLc4TXQLij0kZpuxiDmbEJmdARDWsl+e0VdBuQdD3Hr
|
|
Q2QvhSVvQgwue8vclfIQVElSZpW93HuyyR8O8ugofwcOt7XwI7k+8ZfrjkjHMPGZ
|
|
QW/i0FQJx4Kup70bzOubb3VEQ7cwAJtE1dvY55oaulDexq3RVMW7oEsvd84X2K8O
|
|
G3+YOZLMrvM1kFskRt067rttbJfMXvstMSHCCfGSqA7fdth6VNQ=
|
|
=KAsu
|
|
-----END PGP SIGNATURE-----
|