Configure Microarchitectural Data Sampling mitigation

An XCCDF Rule

Description

Microarchitectural Data Sampling (MDS) is a hardware vulnerability which allows unprivileged speculative access to data which is available in various CPU internal buffers. When performing store, load, L1 refill operations, processors write data into temporary microarchitectural structures (buffers), and the data in the buffer can be forwarded to load operations as an optimization. Under certain conditions, data unrelated to the load operations can be speculatively forwarded from the buffers to a disclosure gadget which allows in turn to infer the value via a cache side channel attack. Select the appropriate mitigation by adding the argument mds= to the default GRUB 2 command line for the Linux operating system. Configure the default Grub2 kernel command line to contain mds= as follows:

# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) mds="

Not all processors are affected by all variants of MDS, but the mitigation mechanism is identical for all of them. Since Linux Kernel 5.2 you can check whether the system is vulnerable or mitigated with the following command: cat /sys/devices/system/cpu/vulnerabilities/mds

warning alert: Performance Warning

Enabling MDS mitigations will impact performance of the system, mainly by workloads with high rates of user-kernel-user space transitions. For example, system calls, NMIs and interrupts.

Rationale

The MDS vulnerability allows an attacker to sample data from internal CPU buffers.

ID: xccdf_org.ssgproject.content_rule_grub2_mds_argument
Severity: Medium
Updated: about 1 year ago

[customizations.kernel]
append = "mds=<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_mds_options" use="legacy"/>"

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - grub2_mds_argument
  - low_disruption  - medium_complexity
  - medium_severity
  - reboot_required
  - restrict_strategy
- name: XCCDF Value var_mds_options # promote to variable
  set_fact:
    var_mds_options: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_mds_options" use="legacy"/>
  tags:
    - always

- name: Update grub defaults and the bootloader menu
  command: /sbin/grubby --update-kernel=ALL --args="mds={{ var_mds_options }}"
  when:
  - '"grub2-common" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - grub2_mds_argument
  - low_disruption
  - medium_complexity
  - medium_severity
  - reboot_required
  - restrict_strategy

# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

var_mds_options='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_mds_options" use="legacy"/>'


grubby --update-kernel=ALL --args=mds=$var_mds_options

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Configure Microarchitectural Data Sampling mitigation

Description

Rationale

Remediation - OS Build Blueprint

Remediation - Ansible

Remediation - Shell Script