| Mark Gross | 2808035 | 2020-04-27 21:17:16 +0200 | [diff] [blame] | 1 | .. SPDX-License-Identifier: GPL-2.0 |
| 2 | |
| 3 | SRBDS - Special Register Buffer Data Sampling |
| 4 | ============================================= |
| 5 | |
| 6 | SRBDS is a hardware vulnerability that allows MDS :doc:`mds` techniques to |
| 7 | infer values returned from special register accesses. Special register |
| 8 | accesses are accesses to off core registers. According to Intel's evaluation, |
| 9 | the special register reads that have a security expectation of privacy are |
| 10 | RDRAND, RDSEED and SGX EGETKEY. |
| 11 | |
| 12 | When RDRAND, RDSEED and EGETKEY instructions are used, the data is moved |
| 13 | to the core through the special register mechanism that is susceptible |
| 14 | to MDS attacks. |
| 15 | |
| 16 | Affected processors |
| 17 | -------------------- |
| 18 | Core models (desktop, mobile, Xeon-E3) that implement RDRAND and/or RDSEED may |
| 19 | be affected. |
| 20 | |
| 21 | A processor is affected by SRBDS if its Family_Model and stepping is |
| 22 | in the following list, with the exception of the listed processors |
| 23 | exporting MDS_NO while Intel TSX is available yet not enabled. The |
| 24 | latter class of processors are only affected when Intel TSX is enabled |
| 25 | by software using TSX_CTRL_MSR otherwise they are not affected. |
| 26 | |
| 27 | ============= ============ ======== |
| 28 | common name Family_Model Stepping |
| 29 | ============= ============ ======== |
| Josh Poimboeuf | 4798f72 | 2020-04-27 20:46:13 +0200 | [diff] [blame] | 30 | IvyBridge 06_3AH All |
| 31 | |
| Mark Gross | 2808035 | 2020-04-27 21:17:16 +0200 | [diff] [blame] | 32 | Haswell 06_3CH All |
| 33 | Haswell_L 06_45H All |
| 34 | Haswell_G 06_46H All |
| 35 | |
| 36 | Broadwell_G 06_47H All |
| 37 | Broadwell 06_3DH All |
| 38 | |
| 39 | Skylake_L 06_4EH All |
| 40 | Skylake 06_5EH All |
| 41 | |
| Josh Poimboeuf | 4798f72 | 2020-04-27 20:46:13 +0200 | [diff] [blame] | 42 | Kabylake_L 06_8EH <= 0xC |
| 43 | Kabylake 06_9EH <= 0xD |
| Mark Gross | 2808035 | 2020-04-27 21:17:16 +0200 | [diff] [blame] | 44 | ============= ============ ======== |
| 45 | |
| 46 | Related CVEs |
| 47 | ------------ |
| 48 | |
| 49 | The following CVE entry is related to this SRBDS issue: |
| 50 | |
| 51 | ============== ===== ===================================== |
| 52 | CVE-2020-0543 SRBDS Special Register Buffer Data Sampling |
| 53 | ============== ===== ===================================== |
| 54 | |
| 55 | Attack scenarios |
| 56 | ---------------- |
| 57 | An unprivileged user can extract values returned from RDRAND and RDSEED |
| 58 | executed on another core or sibling thread using MDS techniques. |
| 59 | |
| 60 | |
| 61 | Mitigation mechanism |
| 62 | ------------------- |
| 63 | Intel will release microcode updates that modify the RDRAND, RDSEED, and |
| 64 | EGETKEY instructions to overwrite secret special register data in the shared |
| 65 | staging buffer before the secret data can be accessed by another logical |
| 66 | processor. |
| 67 | |
| 68 | During execution of the RDRAND, RDSEED, or EGETKEY instructions, off-core |
| 69 | accesses from other logical processors will be delayed until the special |
| 70 | register read is complete and the secret data in the shared staging buffer is |
| 71 | overwritten. |
| 72 | |
| 73 | This has three effects on performance: |
| 74 | |
| 75 | #. RDRAND, RDSEED, or EGETKEY instructions have higher latency. |
| 76 | |
| 77 | #. Executing RDRAND at the same time on multiple logical processors will be |
| 78 | serialized, resulting in an overall reduction in the maximum RDRAND |
| 79 | bandwidth. |
| 80 | |
| 81 | #. Executing RDRAND, RDSEED or EGETKEY will delay memory accesses from other |
| 82 | logical processors that miss their core caches, with an impact similar to |
| 83 | legacy locked cache-line-split accesses. |
| 84 | |
| 85 | The microcode updates provide an opt-out mechanism (RNGDS_MITG_DIS) to disable |
| 86 | the mitigation for RDRAND and RDSEED instructions executed outside of Intel |
| 87 | Software Guard Extensions (Intel SGX) enclaves. On logical processors that |
| 88 | disable the mitigation using this opt-out mechanism, RDRAND and RDSEED do not |
| 89 | take longer to execute and do not impact performance of sibling logical |
| 90 | processors memory accesses. The opt-out mechanism does not affect Intel SGX |
| 91 | enclaves (including execution of RDRAND or RDSEED inside an enclave, as well |
| 92 | as EGETKEY execution). |
| 93 | |
| 94 | IA32_MCU_OPT_CTRL MSR Definition |
| 95 | -------------------------------- |
| 96 | Along with the mitigation for this issue, Intel added a new thread-scope |
| 97 | IA32_MCU_OPT_CTRL MSR, (address 0x123). The presence of this MSR and |
| 98 | RNGDS_MITG_DIS (bit 0) is enumerated by CPUID.(EAX=07H,ECX=0).EDX[SRBDS_CTRL = |
| 99 | 9]==1. This MSR is introduced through the microcode update. |
| 100 | |
| 101 | Setting IA32_MCU_OPT_CTRL[0] (RNGDS_MITG_DIS) to 1 for a logical processor |
| 102 | disables the mitigation for RDRAND and RDSEED executed outside of an Intel SGX |
| 103 | enclave on that logical processor. Opting out of the mitigation for a |
| 104 | particular logical processor does not affect the RDRAND and RDSEED mitigations |
| 105 | for other logical processors. |
| 106 | |
| 107 | Note that inside of an Intel SGX enclave, the mitigation is applied regardless |
| 108 | of the value of RNGDS_MITG_DS. |
| 109 | |
| 110 | Mitigation control on the kernel command line |
| 111 | --------------------------------------------- |
| 112 | The kernel command line allows control over the SRBDS mitigation at boot time |
| 113 | with the option "srbds=". The option for this is: |
| 114 | |
| 115 | ============= ============================================================= |
| 116 | off This option disables SRBDS mitigation for RDRAND and RDSEED on |
| 117 | affected platforms. |
| 118 | ============= ============================================================= |
| 119 | |
| 120 | SRBDS System Information |
| 121 | ----------------------- |
| 122 | The Linux kernel provides vulnerability status information through sysfs. For |
| 123 | SRBDS this can be accessed by the following sysfs file: |
| 124 | /sys/devices/system/cpu/vulnerabilities/srbds |
| 125 | |
| 126 | The possible values contained in this file are: |
| 127 | |
| 128 | ============================== ============================================= |
| 129 | Not affected Processor not vulnerable |
| 130 | Vulnerable Processor vulnerable and mitigation disabled |
| 131 | Vulnerable: No microcode Processor vulnerable and microcode is missing |
| 132 | mitigation |
| 133 | Mitigation: Microcode Processor is vulnerable and mitigation is in |
| 134 | effect. |
| 135 | Mitigation: TSX disabled Processor is only vulnerable when TSX is |
| 136 | enabled while this system was booted with TSX |
| 137 | disabled. |
| 138 | Unknown: Dependent on |
| 139 | hypervisor status Running on virtual guest processor that is |
| 140 | affected but with no way to know if host |
| 141 | processor is mitigated or vulnerable. |
| 142 | ============================== ============================================= |
| 143 | |
| 144 | SRBDS Default mitigation |
| 145 | ------------------------ |
| 146 | This new microcode serializes processor access during execution of RDRAND, |
| 147 | RDSEED ensures that the shared buffer is overwritten before it is released for |
| 148 | reuse. Use the "srbds=off" kernel command line to disable the mitigation for |
| 149 | RDRAND and RDSEED. |