Update kernel to mitigate new MDS attacks
Originally created by @cypherpunks on #16720 (Redmine)
A very severe collection of Spectre-class hardware security
vulnerabilities have been discovered which allow reading arbitrary
memory. Existing Spectre defenses do not mitigate them. The only
mitigation is to install new microcode updates (which add new behavior
to a CPU instruction) and kernel updates (which use call those
instructions at each context switch). It’s also unfortunately quite
necessary to disable SMT (Hyper-Threading). On updated kernels, this can
be done with
mds=full,nosmt on the kernel command line. Until this is
done, arbitrary memory reads are possible in Tails, potentially even
from the Browser.
A proof-of-concept was also shown specifically for Tails.
See https://cpu.fail/ and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for more information.
Feature Branch: bugfix/16720-linux-4.19.37-nosmt+force-all-tests
Blocked by #16708 (closed)