mir/Hardware-and-Firmware-Security-Guidance
2
0
Fork 0
mirror of https://github.com/nsacyber/Hardware-and-Firmware-Security-Guidance synced 2025-08-22 18:17:15 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Status updates

Browse Source 
A few sections stated "as of some date in 2019" and now have been updated to March 2020 -- recommendations tweaked accordingly.
This commit is contained in:
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973 2020-03-13 17:03:29 -04:00 committed by GitHub
parent 235aaef3aa
commit 01a9617d47
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -65,7 +65,7 @@ Disable Hyper-Threading on systems that match ALL of the following requirements:
2. Intel systems that allow the execution of arbitrary programs and scripts (e.g. systems lacking application whitelisting)
3. Intel systems that are part of the 9th generation or older
All form factors are affected (e.g. desktops, servers, notebooks, tablets). Disabling Hyper-Threading may impart a significant performance penalty on some use cases. Virtual processor and Simultaneous MultiThreading (SMT) solutions from vendors other than Intel are not implicated as susceptible to MDS as of May, 2019.
All form factors are affected (e.g. desktops, servers, notebooks, tablets). Disabling Hyper-Threading may impart a significant performance penalty on some use cases. Virtual processor and Simultaneous MultiThreading (SMT) solutions from vendors other than Intel are not implicated as susceptible to MDS as of March, 2020.
#### <a name="verify"/>2.1.5 Verification
To test that patches are successful see the section named [Verification](./verification).
@ -73,9 +73,9 @@ To test that patches are successful see the section named [Verification](./verif
### <a name="products"/>2.2 Resources and Affected products
Assume that all processor products from all processor manufacturers ([Intel](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00088.html), AMD, [ARM](https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability), [IBM](https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/), Apple, Samsung, [Nvidia](https://nvidia.custhelp.com/app/answers/detail/a_id/4611/~/security-bulletin%3A-nvidia-driver-security-updates-for-cpu-speculative-side), Qualcomm, etc.) are affected by one or more side-channel vulnerabilities. Attempts have been made to quantify which [specific processors](https://www.techarp.com/guides/complete-meltdown-spectre-cpu-list/) are affected by a given attack or its variations. However, the listing of products continues to grow as more researchers put resources towards expanding the scope of analyzed products. In general, the more market share a company has, the more likely their products have discovered side-channel attacks with names and CVEs.
Processor vendor exposure to side-channel attacks varies. For example, Spectre affects nearly all processor products to some degree; Meltdown and Microarchitectural Data Sampling (MDS) primarily affect Intel products. Replacing older hardware with newer hardware does not guarantee mitigation of all side-channel vulnerabilities. However, newer hardware features updated instructions that lessen the performance impact of patches.
Processor vendor exposure to side-channel attacks varies. For example, Spectre affects nearly all processor products to some degree; Meltdown and Microarchitectural Data Sampling (MDS) primarily affect Intel products. Take A Way only affects AMD products. Replacing older hardware with newer hardware does not guarantee mitigation of all side-channel vulnerabilities. However, newer hardware features updated instructions that lessen the performance impact of patches.
As of May, 2019, processor vendor exposure to side-channel attacks varies. Multiple generations of Intel products are known to be vulnerable to most side-channel attacks on this page. However, some Core 8000-series and 9000-series products have hardware mitigations for Spectre and Meltdown vulnerabilities. Xeon products launched since late 2018 may also have hardware mitigations -- carefully examine specification sheets. Newer MDS vulnerabilities still apply to most Intel products. AMD Ryzen 3000-series products launched in mid-2019 are expected to contain hardware Spectre mitigations, but Epyc products do not -- Meltdown and MDS do not apply due to architectural differences. Comparatively few IBM and ARM-derived products are affected by Spectre and Meltdown -- consult manufacturer resources.
As of March, 2020, processor vendor exposure to side-channel attacks still varies. In general, older CPUs have more vulnerabilities and are affected more adversely by mitigations than newer CPUs. However, new CPUs have proven to still have vulnerabilities as security researchers continue to discover clever ways to break security boundaries and even defeat recent mitigation efforts. Look for products that specifically boast side-channel mitigation and performance benefits over previous generations.
NSA does not have the mission to test every processor released. Researchers, product vendors, and [tech websites](https://www.techarp.com/guides/complete-meltdown-spectre-cpu-list/) have compiled lists of affected products.