{"description": "Microarchitectural Data Sampling (MDS) is a hardware vulnerability which allows unprivileged\nspeculative access to data which is available in various CPU internal buffers.\n\nWhen performing store, load, L1 refill operations, processors write data into temporary\nmicroarchitectural structures (buffers), and the data in the buffer can be forwarded to load\noperations as an optimization.\n\nUnder certain conditions, data unrelated to the load operations can be speculatively\nforwarded from the buffers to a disclosure gadget which allows in turn to infer the value\nvia a cache side channel attack.\n\nSelect the appropriate mitigation by adding the argument\n<tt>mds=<sub idref=\"var_mds_options\" /></tt> to the default\nGRUB 2 command line for the Linux operating system.\nTo ensure that <tt>mds=<sub idref=\"var_mds_options\" /></tt> is added as a kernel command line\nargument to newly installed kernels, add <tt>mds=<sub idref=\"var_mds_options\" /></tt> to the\ndefault Grub2 command line for Linux operating systems. Modify the line within\n<tt>/etc/default/grub</tt> as shown below:\n<pre>GRUB_CMDLINE_LINUX=\"... mds=<sub idref=\"var_mds_options\" /> ...\"</pre>\nRun the following command to update command line for already installed kernels:<pre># update-grub</pre>\n\nNot all processors are affected by all variants of MDS, but the mitigation mechanism is\nidentical for all of them.\n\nSince Linux Kernel 5.2 you can check whether the system is vulnerable or mitigated with the\nfollowing command:\n<tt>cat /sys/devices/system/cpu/vulnerabilities/mds</tt>", "rationale": "The MDS vulnerability allows an attacker to sample data from internal CPU buffers.", "severity": "medium", "references": {"anssi": ["R8"]}, "control_references": {"anssi": ["R8"]}, "components": [], "identifiers": {}, "ocil_clause": "MDS mitigations are not configured appropriately", "ocil": "Inspect the form of default GRUB 2 command line for the Linux operating system\nin <tt>/etc/default/grub</tt>. If it includes <tt>mds=<sub idref=\"\" /></tt>,\nthen the parameter will be configured for newly installed kernels.\nFirst check if the GRUB recovery is enabled:\n<pre>$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub</pre>\nIf this option is set to true, then check that a line is output by the following command:\n<pre>$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*mds=<sub idref=\"\" />.*' /etc/default/grub</pre>\nIf the recovery is disabled, check the line with\n<pre>$ sudo grep 'GRUB_CMDLINE_LINUX.*mds=<sub idref=\"\" />.*' /etc/default/grub</pre>.Moreover, current Grub config file <tt>grub.cfg</tt> must be checked. The file can be found\neither in <tt>/boot/grub</tt> in case of legacy BIOS systems, or in <tt>/boot/grub</tt> in case of UEFI systems.\nIf they include <tt>mds=<sub idref=\"\" /></tt>, then the parameter\nis configured at boot time.\n<pre>$ sudo grep vmlinuz GRUB_CFG_FILE_PATH | grep -v 'mds=<sub idref=\"\" />'</pre>\nFill in <tt>GRUB_CFG_FILE_PATH</tt> based on information above.\nThis command should not return any output.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"performance": "Enabling MDS mitigations will impact performance of the system, mainly by workloads with\nhigh rates of user-kernel-user space transitions. For example, system calls, NMIs and interrupts."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["grub2 and system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["grub2_and_system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Configure Microarchitectural Data Sampling mitigation", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/bootloader-grub2/grub2_mds_argument/rule.yml", "template": {"name": "grub2_bootloader_argument", "vars": {"arg_name": "mds", "arg_variable": "var_mds_options"}, "backends": {}}}