Microarchitectural Data Sampling (MDS) is a hardware vulnerability which allows unprivileged
speculative access to data which is available in various CPU internal buffers.
When performing store, load, L1 refill operations, processors write data into temporary
microarchitectural structures (buffers), and the data in the buffer can be forwarded to load
operations as an optimization.
Under certain conditions, data unrelated to the load operations can be speculatively
forwarded from the buffers to a disclosure gadget which allows in turn to infer the value
via a cache side channel attack.
Select the appropriate mitigation by adding the argument
mds= to the default
GRUB 2 command line for the Linux operating system.
To ensure that mds= is added as a kernel command line
argument to newly installed kernels, add mds= to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... mds= ..."
Run the following command to update command line for already installed kernels:# grubby --update-kernel=ALL --args="mds="
Not all processors are affected by all variants of MDS, but the mitigation mechanism is
identical for all of them.
Since Linux Kernel 5.2 you can check whether the system is vulnerable or mitigated with the
following command:
cat /sys/devices/system/cpu/vulnerabilities/mds