Skip to content

Configure Microarchitectural Data Sampling mitigation

An XCCDF Rule

Description

Microarchitectural Data Sampling (MDS) is a hardware vulnerability which allows unprivileged speculative access to data which is available in various CPU internal buffers. When performing store, load, L1 refill operations, processors write data into temporary microarchitectural structures (buffers), and the data in the buffer can be forwarded to load operations as an optimization. Under certain conditions, data unrelated to the load operations can be speculatively forwarded from the buffers to a disclosure gadget which allows in turn to infer the value via a cache side channel attack. Select the appropriate mitigation by adding the argument mds= to the default GRUB 2 command line for the Linux operating system. To ensure that mds= is added as a kernel command line argument to newly installed kernels, add mds= to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below:

GRUB_CMDLINE_LINUX="... mds= ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="mds="
Not all processors are affected by all variants of MDS, but the mitigation mechanism is identical for all of them. Since Linux Kernel 5.2 you can check whether the system is vulnerable or mitigated with the following command: cat /sys/devices/system/cpu/vulnerabilities/mds

warning alert: Performance Warning

Enabling MDS mitigations will impact performance of the system, mainly by workloads with high rates of user-kernel-user space transitions. For example, system calls, NMIs and interrupts.

Rationale

The MDS vulnerability allows an attacker to sample data from internal CPU buffers.

ID
xccdf_org.ssgproject.content_rule_grub2_mds_argument
Severity
Medium
Updated



Remediation - OS Build Blueprint

[customizations.kernel]
append = "mds=<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_mds_options" use="legacy"/>"

Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - grub2_mds_argument
  - low_disruption

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

var_mds_options='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_mds_options" use="legacy"/>'