[ltp] MDS vulnerability kernel detection and mitigation, after already having a patched bios?

[Rubin Abdi]

TL;DR, will the kernel still detect a full positive on the
MDS vulnerability after a hypothetically patched update bios is installed?

Hello!

So today I did a Debian Sid upgrade on my ThinkPad T480s which brought in
the 6.6.9 kernel. After reboot I got some messages regarding a set of MDS
vulnerabilities:

MDS CPU bug present and SMT on, data leak possible. See
> https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for
> more details.


After fully booting up my machine is noticeably slower, I'm assuming from
whatever mitigation to those vulnerabilities the kernel is calling.

There are 4 vulnerabilities listed on that page that I could have sworn was
patched in a bios update I did at least a year ago. Googling around I found
this Lenovo support doc about the vulnerability:

https://support.lenovo.com/us/en/product_security/ps500247-microarchitectural-data-sampling-mds-side-channel-vulnerabilities#ThinkPad

Listed there are all 4 CVEs and a link to the T480s 1.31 bios update, which
is older than the bios I was on. The annoying thing is when I look at the
release notes for 1.31 and the latest version, I see mentions of every CVE
patched except for CVE-2019-11091 - Microarchitectural Data Sampling
Uncacheable Memory (MDSUM).

I went ahead and did another update to the latest bios 1.56, released in
November, however after rebooting the kernel still reports that my machine
is vulnerable.

So my question is will the kernel still detect a full positive on the
MDS vulnerability after a hypothetically patched update bios is installed?
If so can I just safely add in the kernel options to disable the mitigation?

Thanks!

-- 
Rubin (he/him <https://en.pronouns.page/he>)
rubin at starset.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.linux-thinkpad.org/pipermail/linux-thinkpad/attachments/20240113/d64bd0c3/attachment.htm>