Update kernel to mitigate new MDS attacks

Originally created by @cypherpunks on #16720 (Redmine)

A very severe collection of Spectre-class hardware security vulnerabilities have been discovered which allow reading arbitrary memory. Existing Spectre defenses do not mitigate them. The only mitigation is to install new microcode updates (which add new behavior to a CPU instruction) and kernel updates (which use call those instructions at each context switch). It’s also unfortunately quite necessary to disable SMT (Hyper-Threading). On updated kernels, this can be done with mds=full,nosmt on the kernel command line. Until this is done, arbitrary memory reads are possible in Tails, potentially even from the Browser.

A proof-of-concept was also shown specifically for Tails.

See https://cpu.fail/ and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for more information.

Feature Branch: bugfix/16720-linux-4.19.37-nosmt+force-all-tests

Related issues

Blocked by #16708 (closed)

Edited May 15, 2020 by cypherpunks

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information