Home / mailingsPDF  

FreeBSD Security Advisory FreeBSD-SA-19:26.mcu

Posted on 12 November 2019
FreeBSD security notificat

=============================================================================FreeBSD-SA-19:26.mcu Security Advisory
The FreeBSD Project

Topic: Intel CPU Microcode Update

Category: 3rd party
Module: Intel CPU microcode
Announced: 2019-11-12
Credits: Intel
Affects: All supported versions of FreeBSD running on certain
Intel CPUs.
CVE Name: CVE-2019-11135, CVE-2019-11139, CVE-2018-12126,
CVE-2018-12127, CVE-2018-12130, CVE-2018-11091,
CVE-2017-5715


For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I. Background

- From time to time Intel releases new CPU microcode to address functional
issues and security vulnerabilities. Such a release is also known as a
Micro Code Update (MCU), and is a component of a broader Intel Platform
Update (IPU). FreeBSD distributes CPU microcode via the devcpu-data port
and package.

II. Problem Description

Starting with version 1.26, the devcpu-data port/package includes updates and
mitigations for the following technical and security advisories (depending
on CPU model).

Intel TSX Updates (TAA) CVE-2019-11135
Voltage Modulation Vulnerability CVE-2019-11139
MD_CLEAR Operations CVE-2018-12126
CVE-2018-12127
CVE-2018-12130
CVE-2018-11091
TA Indirect Sharing CVE-2017-5715
EGETKEY CVE-2018-12126
CVE-2018-12127
CVE-2018-12130
CVE-2018-11091
JCC SKX102 Erratum

Updated microcode includes mitigations for CPU issues, but may also cause a
performance regression due to the JCC erratum mitigation. Please visit
http://www.intel.com/benchmarks for further information.

Please visit http://www.intel.com/security for detailed information on
these advisories as well as a list of CPUs that are affected.

III. Impact

Operating a CPU without the latest microcode may result in erratic or
unpredictable behavior, including system crashes and lock ups. Certain
issues listed in this advisory may result in the leakage of privileged
system information to unprivileged users. Please refer to the security
advisories listed above for detailed information.

IV. Workaround

To determine if TSX is present in your system, run the following:

1. kldload cpuctl

2. cpucontrol -i 7 /dev/cpuctl0

If bits 4 (0x10) and 11 (0x800) are set in the second response word (EBX),
TSX is present.

In the absence of updated microcode, TAA can be mitigated by enabling the
MDS mitigation:

3. sysctl hw.mds_disable=1

Systems must be running FreeBSD 11.3, FreeBSD 12.1, or later for this to
work.

*IMPORTANT*
If your use case can tolerate leaving the CPU issues unmitigated and cannot
tolerate a performance regression, ensure that the devcpu-data package is
not installed or is locked at 1.25 or earlier.

# pkg delete devcpu-data

or

# pkg lock devcpu-data

Later versions of the LLVM and GCC compilers will include changes that
partially relieve the peformance impact.

V. Solution

Install the latest Intel Microcode Update via the devcpu-data port/package,
version 1.26 or later.

Updated microcode adds the ability to disable TSX. With updated microcode
the issue can still be mitigated by enabling the MDS mitigation as
described in the workaround section, or by disabling TSX instead:

1. kldload cpuctl

2. cpucontrol -i 7 /dev/cpuctl0

If bit 29 (0x20000000) is set in the fourth response word (EDX), then the
0x10a MSR is present.

3. cpucontrol -m 0x10a /dev/cpuctl0

If bit 8 (0x100) of the response word is set, your CPU is not vulnerable to
TAA and no further action is required.

If bit 7 (0x80) is cleared, then your CPU does not have updated microcode
that facilitates TSX to be disabled. The only remedy available is to
enable the MDS mitigation, as documented above.

4. cpucontrol -m 0x122=3 /dev/cpuctl0

Repeat step 4 for each numbered CPU that is present.

A future kernel change to FreeBSD will provide automatic detection and
mitigation for TAA.

LLVM 9.0 will be updated in FreeBSD 13-current to address the JCC
peformance impact. Updates to prior versions of LLVM are currently being
evaluated.

VI. Correction details

There are currently no changes in FreeBSD to address this issue.

VII. References

<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11139>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12126>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12127>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12130>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11091>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715>
<URL:https://blogs.intel.com/technology/2019/11/ipas-november-2019-intel-platform-update-ipu/>
<URL:https://software.intel.com/security-software-guidance/software-guidance/intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort>
<URL:https://www.intel.com/content/www/us/en/support/articles/000055650.html>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:26.mcu.asc>

 

TOP