105 lines
4.3 KiB
ReStructuredText
105 lines
4.3 KiB
ReStructuredText
|
==================================
|
||
|
Register File Data Sampling (RFDS)
|
||
|
==================================
|
||
|
|
||
|
Register File Data Sampling (RFDS) is a microarchitectural vulnerability that
|
||
|
only affects Intel Atom parts(also branded as E-cores). RFDS may allow
|
||
|
a malicious actor to infer data values previously used in floating point
|
||
|
registers, vector registers, or integer registers. RFDS does not provide the
|
||
|
ability to choose which data is inferred. CVE-2023-28746 is assigned to RFDS.
|
||
|
|
||
|
Affected Processors
|
||
|
===================
|
||
|
Below is the list of affected Intel processors [#f1]_:
|
||
|
|
||
|
=================== ============
|
||
|
Common name Family_Model
|
||
|
=================== ============
|
||
|
ATOM_GOLDMONT 06_5CH
|
||
|
ATOM_GOLDMONT_D 06_5FH
|
||
|
ATOM_GOLDMONT_PLUS 06_7AH
|
||
|
ATOM_TREMONT_D 06_86H
|
||
|
ATOM_TREMONT 06_96H
|
||
|
ALDERLAKE 06_97H
|
||
|
ALDERLAKE_L 06_9AH
|
||
|
ATOM_TREMONT_L 06_9CH
|
||
|
RAPTORLAKE 06_B7H
|
||
|
RAPTORLAKE_P 06_BAH
|
||
|
ATOM_GRACEMONT 06_BEH
|
||
|
RAPTORLAKE_S 06_BFH
|
||
|
=================== ============
|
||
|
|
||
|
As an exception to this table, Intel Xeon E family parts ALDERLAKE(06_97H) and
|
||
|
RAPTORLAKE(06_B7H) codenamed Catlow are not affected. They are reported as
|
||
|
vulnerable in Linux because they share the same family/model with an affected
|
||
|
part. Unlike their affected counterparts, they do not enumerate RFDS_CLEAR or
|
||
|
CPUID.HYBRID. This information could be used to distinguish between the
|
||
|
affected and unaffected parts, but it is deemed not worth adding complexity as
|
||
|
the reporting is fixed automatically when these parts enumerate RFDS_NO.
|
||
|
|
||
|
Mitigation
|
||
|
==========
|
||
|
Intel released a microcode update that enables software to clear sensitive
|
||
|
information using the VERW instruction. Like MDS, RFDS deploys the same
|
||
|
mitigation strategy to force the CPU to clear the affected buffers before an
|
||
|
attacker can extract the secrets. This is achieved by using the otherwise
|
||
|
unused and obsolete VERW instruction in combination with a microcode update.
|
||
|
The microcode clears the affected CPU buffers when the VERW instruction is
|
||
|
executed.
|
||
|
|
||
|
Mitigation points
|
||
|
-----------------
|
||
|
VERW is executed by the kernel before returning to user space, and by KVM
|
||
|
before VMentry. None of the affected cores support SMT, so VERW is not required
|
||
|
at C-state transitions.
|
||
|
|
||
|
New bits in IA32_ARCH_CAPABILITIES
|
||
|
----------------------------------
|
||
|
Newer processors and microcode update on existing affected processors added new
|
||
|
bits to IA32_ARCH_CAPABILITIES MSR. These bits can be used to enumerate
|
||
|
vulnerability and mitigation capability:
|
||
|
|
||
|
- Bit 27 - RFDS_NO - When set, processor is not affected by RFDS.
|
||
|
- Bit 28 - RFDS_CLEAR - When set, processor is affected by RFDS, and has the
|
||
|
microcode that clears the affected buffers on VERW execution.
|
||
|
|
||
|
Mitigation control on the kernel command line
|
||
|
---------------------------------------------
|
||
|
The kernel command line allows to control RFDS mitigation at boot time with the
|
||
|
parameter "reg_file_data_sampling=". The valid arguments are:
|
||
|
|
||
|
========== =================================================================
|
||
|
on If the CPU is vulnerable, enable mitigation; CPU buffer clearing
|
||
|
on exit to userspace and before entering a VM.
|
||
|
off Disables mitigation.
|
||
|
========== =================================================================
|
||
|
|
||
|
Mitigation default is selected by CONFIG_MITIGATION_RFDS.
|
||
|
|
||
|
Mitigation status information
|
||
|
-----------------------------
|
||
|
The Linux kernel provides a sysfs interface to enumerate the current
|
||
|
vulnerability status of the system: whether the system is vulnerable, and
|
||
|
which mitigations are active. The relevant sysfs file is:
|
||
|
|
||
|
/sys/devices/system/cpu/vulnerabilities/reg_file_data_sampling
|
||
|
|
||
|
The possible values in this file are:
|
||
|
|
||
|
.. list-table::
|
||
|
|
||
|
* - 'Not affected'
|
||
|
- The processor is not vulnerable
|
||
|
* - 'Vulnerable'
|
||
|
- The processor is vulnerable, but no mitigation enabled
|
||
|
* - 'Vulnerable: No microcode'
|
||
|
- The processor is vulnerable but microcode is not updated.
|
||
|
* - 'Mitigation: Clear Register File'
|
||
|
- The processor is vulnerable and the CPU buffer clearing mitigation is
|
||
|
enabled.
|
||
|
|
||
|
References
|
||
|
----------
|
||
|
.. [#f1] Affected Processors
|
||
|
https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html
|