How do I fix 'MDS CPU bug present and SMT on, data leak possible' errors from logwatch?

security intel grub2 logwatch microcode

Solution 1:

Note: Undo your previous edits to /etc/default/intel-microcode and /etc/default/grub.

Mitigation control on the kernel command line

The kernel command line allows to control the MDS mitigations at boot time with the option “mds=”. The valid arguments for this option are:

full

If the CPU is vulnerable, enable all available mitigations for the MDS vulnerability, CPU buffer clearing on exit to userspace and when entering a VM. Idle transitions are protected as well if SMT is enabled.

It does not automatically disable SMT.

full,nosmt

The same as mds=full, with SMT disabled on vulnerable CPUs. This is the complete mitigation.

off

Disables MDS mitigations completely.

sudo -H gedit /etc/default/grub

Change:

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"

To:

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash mds=full,nosmt"

Save the file and quit gedit.

sudo update-grub

reboot

Note: Understand that you'll take a HUGE performance hit on multi-cpu or multi-core configurations.

Note: If the performance hit is too great, try mds=full instead of mds=full,nosmt.

Related

How can I encode and decode percent-encoded strings on the command line?
Character encoding problem with filenames - find broken filenames
Dell Studio 1747 Video Driver
how do I remove a startup application from the command line?
wifi adapter not found - ubuntubudgie [duplicate]
How do I install Windscribe VPN if their repository is forbidden in the country?
Does OpenLiteSpeed support Apache .htaccess rewrites?
Suppress Monit message 'Monit instance changed' on stop/start
What is the best method for mirroring two email accounts on disparate platforms?
Is there a way to HIDE a file/dir from a specific user/group?
IIS Windows Authentication not working in Internet Explorer via host name; works via IP
How are child nameservers resolved?