How to enable full mitigation for Microarchitectural Data Sampling (MDS) vulnerabilities

This option is available for macOS Mojave, High Sierra, and Sierra after installing security updates. 

Intel has disclosed vulnerabilities called Microarchitectural Data Sampling (MDS) that apply to desktop and notebook computers with Intel CPUs, including all modern Mac computers.

Although there are no known exploits affecting customers at the time of this writing, customers who believe their computer is at heightened risk of attack can use the Terminal app to enable an additional CPU instruction and disable hyper-threading processing technology, which provides full protection from these security issues.

This option is available for macOS Mojave, High Sierra and Sierra and may have a significant impact on the performance of your computer.

Performance impact of disabling hyper-threading

The full mitigation, which includes disabling hyper-threading, prevents information leakage across threads and when transitioning between kernel and user space, which is associated with the MDS vulnerabilities for both local and remote (web) attacks.

Testing conducted by Apple in May 2019 showed as much as a 40 percent reduction in performance with tests that include multithreaded workloads and public benchmarks. Performance tests are conducted using specific Mac computers. Actual results will vary based on model, configuration, usage, and other factors.

How to enable full mitigation for MDS in macOS

To enable full mitigation of MDS after installing security updates, start your Mac in macOS Recovery and then enter commands in the Terminal app.

  1. Turn on or restart your Mac and immediately press and hold Command (⌘)-R or one of the other macOS Recovery key combinations on your keyboard.
  2. From the Utilities menu in the menu bar, choose Terminal.
  3. Type the following two commands, one at a time, at the Terminal prompt. Press Return after each one.
    nvram boot-args="cwae=2"
    
    nvram SMTDisable=%01
    
  4. From the Apple menu , choose Restart.

How to revert the mitigation and reenable hyper-threading

To revert the mitigation and reenable hyper-threading processor technology, reset NVRAM and restart your Mac.

If you previously set custom boot-args, you will need to add those boot-args to the nvram command.

Note: The full mitigation is not enabled while using Boot Camp to run Windows on a Mac. 

How to check the status of hyper-threading in macOS

You can check if hyper-threading is enabled or disabled in the System Information app.

Choose Apple menu  > About This Mac, then click the System Report button. Then select Hardware in the sidebar. If the processor in your Mac supports hyper-threading, Hyper-Threading Technology is shown as either Enabled or Disabled.

 

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information. Other company and product names may be trademarks of their respective owners.

Veröffentlichungsdatum: