From bf17094c87dea9586e72c2b18c612ba6c7d720c7 Mon Sep 17 00:00:00 2001 From: Mikaela Suomalainen Date: Wed, 28 Aug 2019 11:48:17 +0300 Subject: [PATCH 01/14] operating-systemd.html: add a warning for Linux/CPU vulns --- _includes/sections/operating-systems.html | 1 + 1 file changed, 1 insertion(+) diff --git a/_includes/sections/operating-systems.html b/_includes/sections/operating-systems.html index 17700fbf..2e16743d 100644 --- a/_includes/sections/operating-systems.html +++ b/_includes/sections/operating-systems.html @@ -39,6 +39,7 @@ tor="http://sejnfjrq6szgca7v.onion"

Worth Mentioning

-- 2.47.2 From e7c1dde9d320f73a3a8fdfbce49ba6123eae876c Mon Sep 17 00:00:00 2001 From: Mikaela Suomalainen Date: Wed, 28 Aug 2019 13:48:27 +0300 Subject: [PATCH 02/14] operating-systems: expand the Linux instructions for MDS mitigation --- _includes/sections/operating-systems.html | 29 ++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/_includes/sections/operating-systems.html b/_includes/sections/operating-systems.html index 2e16743d..62544ec9 100644 --- a/_includes/sections/operating-systems.html +++ b/_includes/sections/operating-systems.html @@ -39,7 +39,34 @@ tor="http://sejnfjrq6szgca7v.onion" + +

Remember to check CPU vulnerability mitigations on Linux

+ +

This also affects Windows 10, but it doesn't expose this information or mitigation instructions as easily.

+ +

When running a enough recent kernel, you can check the CPU vulnerabilities it detects by tail -n +1 /sys/devices/system/cpu/vulnerabilities/*. By using tail -n +1 instead of cat the file names are also visible.

+ +

In case you have a Intel CPU, you will likely see that MDS - Microarchitectural Data Sampling is only partially mitigated ("SMT vulnerable"), unless you have disabled it in UEFI BIOS as the full mitigation disables Simultaneous multithreading which may be the cause of the highest performance impact.

+ +

The following steps can be took to enable the full mitigation assuming your system/distribution uses grub and supports /etc/default/grub.d/:

+ +
    +
  1. sudo mkdir /etc/default/grub.d/ to create a directory for additional grub configuration +
  2. echo GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT mds=full,nosmt" | sudo tee /etc/default/grub.d/mds.conf to create a new grub config file source with the echoed content
    3. +
  3. sudo update-grub to generate a new config file including these kernel flags +
  4. sudo reboot to reboot +
  5. afterward the reboot check tail -n +1 /sys/devices/system/cpu/vulnerabilities/* again to see that MDS now says SMT disabled. +
+ +
Further reading
+ +

Worth Mentioning

-- 2.47.2 From ba9eefbd0ada7db4189949f27d4838b854fcd499 Mon Sep 17 00:00:00 2001 From: Mikaela Suomalainen Date: Wed, 28 Aug 2019 13:52:21 +0300 Subject: [PATCH 03/14] operating-systems: s/multithreading/hyperthreading/ --- _includes/sections/operating-systems.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_includes/sections/operating-systems.html b/_includes/sections/operating-systems.html index 62544ec9..047253f3 100644 --- a/_includes/sections/operating-systems.html +++ b/_includes/sections/operating-systems.html @@ -39,7 +39,7 @@ tor="http://sejnfjrq6szgca7v.onion"

Remember to check CPU vulnerability mitigations on Linux

-- 2.47.2 From a6f138a3830b39f78f5d3e2abbab0719760b0a2b Mon Sep 17 00:00:00 2001 From: Mikaela Suomalainen Date: Wed, 28 Aug 2019 13:58:39 +0300 Subject: [PATCH 04/14] operating-systems: address feedback, fix typo --- _includes/sections/operating-systems.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_includes/sections/operating-systems.html b/_includes/sections/operating-systems.html index 047253f3..e356ad90 100644 --- a/_includes/sections/operating-systems.html +++ b/_includes/sections/operating-systems.html @@ -55,7 +55,7 @@ tor="http://sejnfjrq6szgca7v.onion"
  1. sudo mkdir /etc/default/grub.d/ to create a directory for additional grub configuration
  2. echo GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT mds=full,nosmt" | sudo tee /etc/default/grub.d/mds.conf to create a new grub config file source with the echoed content
    3. -
  3. sudo update-grub to generate a new config file including these kernel flags +
  4. sudo grub-mkconfig -o /boot/grub/grub.cfg (or on Debian/Ubuntu based distributions sudo update-grub to generate a new config file including this new kernel flag
  5. sudo reboot to reboot
  6. afterward the reboot check tail -n +1 /sys/devices/system/cpu/vulnerabilities/* again to see that MDS now says SMT disabled.
-- 2.47.2 From f9f7600ba5cae58d84f2124cca0828708e6f4738 Mon Sep 17 00:00:00 2001 From: Mikaela Suomalainen Date: Wed, 28 Aug 2019 14:11:49 +0300 Subject: [PATCH 05/14] operating-systems: remove update-grub, close li tags --- _includes/sections/operating-systems.html | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/_includes/sections/operating-systems.html b/_includes/sections/operating-systems.html index e356ad90..2a34f307 100644 --- a/_includes/sections/operating-systems.html +++ b/_includes/sections/operating-systems.html @@ -53,11 +53,11 @@ tor="http://sejnfjrq6szgca7v.onion"

The following steps can be took to enable the full mitigation assuming your system/distribution uses grub and supports /etc/default/grub.d/:

    -
  1. sudo mkdir /etc/default/grub.d/ to create a directory for additional grub configuration +
  2. sudo mkdir /etc/default/grub.d/ to create a directory for additional grub configuration
  3. echo GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT mds=full,nosmt" | sudo tee /etc/default/grub.d/mds.conf to create a new grub config file source with the echoed content
    4. -
  4. sudo grub-mkconfig -o /boot/grub/grub.cfg (or on Debian/Ubuntu based distributions sudo update-grub to generate a new config file including this new kernel flag -
  5. sudo reboot to reboot -
  6. afterward the reboot check tail -n +1 /sys/devices/system/cpu/vulnerabilities/* again to see that MDS now says SMT disabled. +
  7. sudo grub-mkconfig -o /boot/grub/grub.cfg to generate a new config file including this new kernel flag
    8. +
  8. sudo reboot to reboot
    9. +
  9. afterward the reboot check tail -n +1 /sys/devices/system/cpu/vulnerabilities/* again to see that MDS now says SMT disabled.
Further reading
-- 2.47.2 From 95ea0c871aba578e706631d22d8d94ee999e791a Mon Sep 17 00:00:00 2001 From: Mikaela Suomalainen Date: Fri, 30 Aug 2019 12:55:03 +0300 Subject: [PATCH 06/14] operating-systems: @nitrohorse's first feedback Doing this in a separate commit in case I misunderstood, so I can revert --- _includes/sections/operating-systems.html | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/_includes/sections/operating-systems.html b/_includes/sections/operating-systems.html index 2a34f307..c93efb09 100644 --- a/_includes/sections/operating-systems.html +++ b/_includes/sections/operating-systems.html @@ -39,10 +39,9 @@ tor="http://sejnfjrq6szgca7v.onion" -

Remember to check CPU vulnerability mitigations on Linux

+

Remember to check CPU vulnerability mitigations

This also affects Windows 10, but it doesn't expose this information or mitigation instructions as easily.

-- 2.47.2 From 80ed983f46611add85c4f9e56a58c926bd1253d9 Mon Sep 17 00:00:00 2001 From: Mikaela Suomalainen Date: Fri, 30 Aug 2019 12:58:02 +0300 Subject: [PATCH 07/14] operating-systems: address feedback --- _includes/sections/operating-systems.html | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/_includes/sections/operating-systems.html b/_includes/sections/operating-systems.html index c93efb09..3347c591 100644 --- a/_includes/sections/operating-systems.html +++ b/_includes/sections/operating-systems.html @@ -43,11 +43,13 @@ tor="http://sejnfjrq6szgca7v.onion"

Remember to check CPU vulnerability mitigations

-

This also affects Windows 10, but it doesn't expose this information or mitigation instructions as easily.

+

This also affects Windows 10, but it doesn't expose this information or mitigation instructions as easily.

When running a enough recent kernel, you can check the CPU vulnerabilities it detects by tail -n +1 /sys/devices/system/cpu/vulnerabilities/*. By using tail -n +1 instead of cat the file names are also visible.

-

In case you have a Intel CPU, you will likely see that MDS - Microarchitectural Data Sampling is only partially mitigated ("SMT vulnerable"), unless you have disabled it in UEFI BIOS as the full mitigation disables Simultaneous multithreading which may be the cause of the highest performance impact.

+

+ In case you have an Intel CPU, you may notice "SMT vulnerable" display after running the tail command. To mitigate this, disable hyper-threading from the UEFI/BIOS. You can also take the following mitigation steps below if your system/distribution uses GRUB and supports /etc/default/grub.d/: +

The following steps can be took to enable the full mitigation assuming your system/distribution uses grub and supports /etc/default/grub.d/:

-- 2.47.2 From 491d5ac6dd31a7107360fb8421359e6d3c5dd103 Mon Sep 17 00:00:00 2001 From: Mikaela Suomalainen Date: Fri, 30 Aug 2019 13:00:33 +0300 Subject: [PATCH 08/14] operating-systems: dd a duplicate paragraph --- _includes/sections/operating-systems.html | 2 -- 1 file changed, 2 deletions(-) diff --git a/_includes/sections/operating-systems.html b/_includes/sections/operating-systems.html index 3347c591..2436a0d8 100644 --- a/_includes/sections/operating-systems.html +++ b/_includes/sections/operating-systems.html @@ -51,8 +51,6 @@ tor="http://sejnfjrq6szgca7v.onion" In case you have an Intel CPU, you may notice "SMT vulnerable" display after running the tail command. To mitigate this, disable hyper-threading from the UEFI/BIOS. You can also take the following mitigation steps below if your system/distribution uses GRUB and supports /etc/default/grub.d/:

-

The following steps can be took to enable the full mitigation assuming your system/distribution uses grub and supports /etc/default/grub.d/:

-
  1. sudo mkdir /etc/default/grub.d/ to create a directory for additional grub configuration
  2. echo GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT mds=full,nosmt" | sudo tee /etc/default/grub.d/mds.conf to create a new grub config file source with the echoed content
    3. -- 2.47.2 From 21088b1f3269615d7e7e77b9f2cb418b578d0299 Mon Sep 17 00:00:00 2001 From: Mikaela Suomalainen Date: Fri, 30 Aug 2019 13:01:43 +0300 Subject: [PATCH 09/14] operating-systems: add missing "grub" word --- _includes/sections/operating-systems.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_includes/sections/operating-systems.html b/_includes/sections/operating-systems.html index 2436a0d8..5544d2ed 100644 --- a/_includes/sections/operating-systems.html +++ b/_includes/sections/operating-systems.html @@ -54,7 +54,7 @@ tor="http://sejnfjrq6szgca7v.onion"
    1. sudo mkdir /etc/default/grub.d/ to create a directory for additional grub configuration
    2. echo GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT mds=full,nosmt" | sudo tee /etc/default/grub.d/mds.conf to create a new grub config file source with the echoed content
      3. -
    3. sudo grub-mkconfig -o /boot/grub/grub.cfg to generate a new config file including this new kernel flag
      4. +
    4. sudo grub-mkconfig -o /boot/grub/grub.cfg to generate a new grub config file including this new kernel flag
    5. sudo reboot to reboot
    6. afterward the reboot check tail -n +1 /sys/devices/system/cpu/vulnerabilities/* again to see that MDS now says SMT disabled.
    -- 2.47.2 From 55bc3b19158373d0f2fb5bd881cd3f8a250e98b0 Mon Sep 17 00:00:00 2001 From: Mikaela Suomalainen Date: Fri, 30 Aug 2019 13:39:46 +0300 Subject: [PATCH 10/14] operating-systems: fix the last step of nosmt --- _includes/sections/operating-systems.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_includes/sections/operating-systems.html b/_includes/sections/operating-systems.html index 5544d2ed..e83d4169 100644 --- a/_includes/sections/operating-systems.html +++ b/_includes/sections/operating-systems.html @@ -56,7 +56,7 @@ tor="http://sejnfjrq6szgca7v.onion"
  3. echo GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT mds=full,nosmt" | sudo tee /etc/default/grub.d/mds.conf to create a new grub config file source with the echoed content
  4. sudo grub-mkconfig -o /boot/grub/grub.cfg to generate a new grub config file including this new kernel flag
  5. sudo reboot to reboot
    6. -
  6. afterward the reboot check tail -n +1 /sys/devices/system/cpu/vulnerabilities/* again to see that MDS now says SMT disabled.
    7. +
  7. after the reboot, check tail -n +1 /sys/devices/system/cpu/vulnerabilities/* again to see that MDS now says SMT disabled.
Further reading
-- 2.47.2 From f497fccf2b998ce5043ad430dd9867f8ac90f0f4 Mon Sep 17 00:00:00 2001 From: Mikaela Suomalainen Date: Sat, 31 Aug 2019 11:07:39 +0300 Subject: [PATCH 11/14] operating-systems: mention macOS link --- _includes/sections/operating-systems.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_includes/sections/operating-systems.html b/_includes/sections/operating-systems.html index e83d4169..0c944bff 100644 --- a/_includes/sections/operating-systems.html +++ b/_includes/sections/operating-systems.html @@ -43,7 +43,7 @@ tor="http://sejnfjrq6szgca7v.onion"

Remember to check CPU vulnerability mitigations

-

This also affects Windows 10, but it doesn't expose this information or mitigation instructions as easily.

+

This also affects Windows 10, but it doesn't expose this information or mitigation instructions as easily. MacOS users check How to enable full mitigation for Microarchitectural Data Sampling (MDS) vulnerabilities on Apple Support

When running a enough recent kernel, you can check the CPU vulnerabilities it detects by tail -n +1 /sys/devices/system/cpu/vulnerabilities/*. By using tail -n +1 instead of cat the file names are also visible.

-- 2.47.2 From e55a2cf503332fd93a29e0584c12d7cd0afa5d62 Mon Sep 17 00:00:00 2001 From: Mikaela Suomalainen Date: Sat, 31 Aug 2019 11:09:53 +0300 Subject: [PATCH 12/14] operating-systems: address feedback --- _includes/sections/operating-systems.html | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/_includes/sections/operating-systems.html b/_includes/sections/operating-systems.html index 0c944bff..7729b0d0 100644 --- a/_includes/sections/operating-systems.html +++ b/_includes/sections/operating-systems.html @@ -45,7 +45,7 @@ tor="http://sejnfjrq6szgca7v.onion"

This also affects Windows 10, but it doesn't expose this information or mitigation instructions as easily. MacOS users check How to enable full mitigation for Microarchitectural Data Sampling (MDS) vulnerabilities on Apple Support

-

When running a enough recent kernel, you can check the CPU vulnerabilities it detects by tail -n +1 /sys/devices/system/cpu/vulnerabilities/*. By using tail -n +1 instead of cat the file names are also visible.

+

When running a enough recent kernel, you can check the CPU vulnerabilities it detects by tail -n +1 /sys/devices/system/cpu/vulnerabilities/*. By using tail -n +1 instead of cat, the file names are also visible.

In case you have an Intel CPU, you may notice "SMT vulnerable" display after running the tail command. To mitigate this, disable hyper-threading from the UEFI/BIOS. You can also take the following mitigation steps below if your system/distribution uses GRUB and supports /etc/default/grub.d/: @@ -54,9 +54,9 @@ tor="http://sejnfjrq6szgca7v.onion"

  1. sudo mkdir /etc/default/grub.d/ to create a directory for additional grub configuration
  2. echo GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT mds=full,nosmt" | sudo tee /etc/default/grub.d/mds.conf to create a new grub config file source with the echoed content
    3. -
  3. sudo grub-mkconfig -o /boot/grub/grub.cfg to generate a new grub config file including this new kernel flag
    4. +
  4. sudo grub-mkconfig -o /boot/grub/grub.cfg to generate a new grub config file including this new kernel boot flag
  5. sudo reboot to reboot
    6. -
  6. after the reboot, check tail -n +1 /sys/devices/system/cpu/vulnerabilities/* again to see that MDS now says SMT disabled.
    7. +
  7. after the reboot, check tail -n +1 /sys/devices/system/cpu/vulnerabilities/* again to see that MDS now says "SMT disabled."
Further reading
-- 2.47.2 From 5702452227c1e2f759c8921a6d229f7502fe1e16 Mon Sep 17 00:00:00 2001 From: Mikaela Suomalainen Date: Sat, 31 Aug 2019 11:13:15 +0300 Subject: [PATCH 13/14] operating-systems: add a dot --- _includes/sections/operating-systems.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_includes/sections/operating-systems.html b/_includes/sections/operating-systems.html index 7729b0d0..04dd5ac0 100644 --- a/_includes/sections/operating-systems.html +++ b/_includes/sections/operating-systems.html @@ -43,7 +43,7 @@ tor="http://sejnfjrq6szgca7v.onion"

Remember to check CPU vulnerability mitigations

-

This also affects Windows 10, but it doesn't expose this information or mitigation instructions as easily. MacOS users check How to enable full mitigation for Microarchitectural Data Sampling (MDS) vulnerabilities on Apple Support

+

This also affects Windows 10, but it doesn't expose this information or mitigation instructions as easily. MacOS users check How to enable full mitigation for Microarchitectural Data Sampling (MDS) vulnerabilities on Apple Support.

When running a enough recent kernel, you can check the CPU vulnerabilities it detects by tail -n +1 /sys/devices/system/cpu/vulnerabilities/*. By using tail -n +1 instead of cat, the file names are also visible.

-- 2.47.2 From 4697bf6d6c04cb128c5d28adfc90f4c88f373113 Mon Sep 17 00:00:00 2001 From: Mikaela Suomalainen Date: Sat, 31 Aug 2019 19:22:47 +0300 Subject: [PATCH 14/14] operating-systems: fix link --- _includes/sections/operating-systems.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_includes/sections/operating-systems.html b/_includes/sections/operating-systems.html index 04dd5ac0..9dc6d511 100644 --- a/_includes/sections/operating-systems.html +++ b/_includes/sections/operating-systems.html @@ -48,7 +48,7 @@ tor="http://sejnfjrq6szgca7v.onion"

When running a enough recent kernel, you can check the CPU vulnerabilities it detects by tail -n +1 /sys/devices/system/cpu/vulnerabilities/*. By using tail -n +1 instead of cat, the file names are also visible.

- In case you have an Intel CPU, you may notice "SMT vulnerable" display after running the tail command. To mitigate this, disable hyper-threading from the UEFI/BIOS. You can also take the following mitigation steps below if your system/distribution uses GRUB and supports /etc/default/grub.d/: + In case you have an Intel CPU, you may notice "SMT vulnerable" display after running the tail command. To mitigate this, disable hyper-threading from the UEFI/BIOS. You can also take the following mitigation steps below if your system/distribution uses GRUB and supports /etc/default/grub.d/:

    -- 2.47.2