lilyanatia
commented
5 years ago https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/MDS
IMPORTANT: There is no software fallback mechanism available for processors that have not received microcode updates from Intel. Mitigation is only possible if Intel has provided a microcode update for your processor.
edit: apparently freebsd has a software-only mitigation for machines without a microcode update available: https://www.freebsd.org/security/advisories/FreeBSD-SA-19:07.mds.asc
To activate the MDS mitigation set the hw.mds_disable sysctl. The settings are:
0 - mitigation disabled 1 - VERW instruction (microcode) mitigation enabled 2 - Software sequence mitigation enabled (not recommended) 3 - Automatic VERW or Software selection
Automatic mode uses the VERW instruction if supported by the CPU / microcode, or software sequences if not.
I have some Westmere (Xeon 5600 series) servers. Are they now a pile of garbage, or is there some combination of kernel patch, and/or disabling HT, that is sufficient for protection of the MDS hardware snafu?