New intel vulnerabilities

Support
1

Journalctl for the last boot had an error and the links suggested These two switches to be added to the /etc/default/grub “mds=off” “mmio_stale_data=off”?
@philm

2

Is Phil clairvoyant now?

3

These look like they would go to the Grub command line
which is defined in /etc/default/grub
… not into /etc/fstab

However, it is totally unclear what those errors where and where those suggestions came from.

Perhaps you can tell what the problem seems to be?
Describe your issue - if there is one …

4

Maybe it’s this? Microsoft and Intel issue warning about MMIO Stale Data vulnerability on Windows 11, 10 - Neowin

5

Maybe.
Only he/she knows.

… from within the text of your link:

Meanwhile, Linux has already been patched for the MMIO Stale Data vulnerabilities.

2 Likes
6

From journalctl -b With those two switches removed from /etc/default/grub

jul 08 18:14:18 manjaro kernel: MDS CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for more details.
Jul 08 18:14:18 manjaro kernel: MMIO Stale Data CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html for more details.
7

Have you read this?

MDS - Microarchitectural Data Sampling — The Linux Kernel documentation

(I have not, not yet.)

Are you considering yourself affected and at risk?

Perhaps you still run an unpatched kernel - it’s all quite recent and that is wholly possible.

as for the other mentioned vulnerability:
you didn’t say
and I do not know

and thanks for confirming that those suggested flags should go into /etc/default/grub:wink:

just FYI:
I run all my kernels with:
mitigations=off
… it is a laptop, with no outside access/no services accessible to the outside world …

This is my decision - for my use case.
Not a recommendation!

8

The question is do we know if the journalctl report is correct even with linux 518 Kernel?
If not the grub switches are not needed. If its true the switch are needed until the kernel is patched.
Please advise?

9

The mitigations were backported to all supported kernels.

The Kernel options you posted in your first post disable the mitigations for these vulnerabilities. If you add them you tell the Kernel to not protect the system against these bugs. Of courses there is no real bug fix, you would need to get a new CPU that is not affected by this. On the other hand, for me, the problem does not sound that problematic on a desktop system. And I also use on my desktop systems mitigations=off , but this is a personal decision.

10

What I won’t to know is journalctl right or wrong?