如何修复日志表中的“MDS CPU错误和SMT,数据泄漏可能”错误?
错误消息说要检查:
有关更多详细信息,请参阅https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html。
但我不能百分之百地确定怎么解决它。
我查看了/etc/default/intel-microcode,发现如下:
# Configuration script for intel-microcode version 3
#
# initramfs helper
#
# Set this to "no" to disable automatic microcode updates on boot;
# Set this to "auto" to use early initramfs mode automatically (default);
# Set this to "early" to always attempt to create an early initramfs;
# IUCODE_TOOL_INITRAMFS=auto
# Set this to "yes" (default) to use "iucode_tool --scan-system" to reduce
# the initramfs size bloat, by detecting which Intel processors are active
# in this system, and installing only their microcodes.
#
# Set this to "no" to either include all microcodes, or only the microcodes
# selected through the use of IUCODE_TOOL_EXTRA_OPTIONS below.
#
# WARNING: including all microcodes will increase initramfs size greatly.
# This can cause boot issues if the initramfs is already large.
# IUCODE_TOOL_SCANCPUS=yes
# Extra options to pass to iucode_tool, useful to forbid or to
# force the inclusion of microcode for specific processor signatures.
# See iucode_tool(8) for details.
#IUCODE_TOOL_EXTRA_OPTIONS=""我变成了这样:
# Configuration script for intel-microcode version 3
#
# initramfs helper
#
# Set this to "no" to disable automatic microcode updates on boot;
# Set this to "auto" to use early initramfs mode automatically (default);
# Set this to "early" to always attempt to create an early initramfs;
IUCODE_TOOL_INITRAMFS=auto
# Set this to "yes" (default) to use "iucode_tool --scan-system" to reduce
# the initramfs size bloat, by detecting which Intel processors are active
# in this system, and installing only their microcodes.
#
# Set this to "no" to either include all microcodes, or only the microcodes
# selected through the use of IUCODE_TOOL_EXTRA_OPTIONS below.
#
# WARNING: including all microcodes will increase initramfs size greatly.
# This can cause boot issues if the initramfs is already large.
IUCODE_TOOL_SCANCPUS=yes
# Extra options to pass to iucode_tool, useful to forbid or to
# force the inclusion of microcode for specific processor signatures.
# See iucode_tool(8) for details.
#IUCODE_TOOL_EXTRA_OPTIONS=""以前,我在BIOS中关闭了超线程,我还将/etc/default/grub中的设置更改为:
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash maxcpus=6"我的机器上有六个物理CPU。
回答 1
Ask Ubuntu用户
发布于 2021-12-22 10:30:35
根据英特尔的安全顾问公报,为了缓解这一问题,您应该更新CPU微码。此漏洞是由20190514 更新的微码修复的。您可以使用dpkg -s intel-microcode命令检查在系统中安装微码的包的当前版本。如果它的数目更大,那么你就没事了。
还可以将BIOS更新为最新版本,但此步骤是特定于供应商的.您可以在英特尔网站这里上查看多家供应商的推荐。
在某些情况下,这两个步骤结合在一起应该可以减轻此漏洞。但是,如果dmesg | grep 'data leak'的输出仍然显示'MDS CPU错误‘的信息,那么它并没有完全缓解。您可以通过cat /sys/devices/system/cpu/vulnerabilities/mds检查系统的哪些组件仍然受到影响。
在这种情况下,您应该考虑完全禁用超级线程。但请注意,正如@heynnema在他的回答中提到的那样,这可能会导致性能损失。
请阅读详细描述此漏洞的Ubuntu知识库文章。
所以没有通用的答案,这取决于用例。您可以以牺牲性能为代价来减轻它,或者保持原样(Intel指出,“实际利用MDS是一项非常复杂的工作”)。
https://askubuntu.com/questions/1250040
复制相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号