Back to home page

OSCL-LXR
 
 

     

0001 .. SPDX-License-Identifier: GPL-2.0
0002 
0003 SRBDS - Special Register Buffer Data Sampling
0004 =============================================
0005 
0006 SRBDS is a hardware vulnerability that allows MDS
0007 Documentation/admin-guide/hw-vuln/mds.rst techniques to
0008 infer values returned from special register accesses.  Special register
0009 accesses are accesses to off core registers.  According to Intel's evaluation,
0010 the special register reads that have a security expectation of privacy are
0011 RDRAND, RDSEED and SGX EGETKEY.
0012 
0013 When RDRAND, RDSEED and EGETKEY instructions are used, the data is moved
0014 to the core through the special register mechanism that is susceptible
0015 to MDS attacks.
0016 
0017 Affected processors
0018 -------------------
0019 Core models (desktop, mobile, Xeon-E3) that implement RDRAND and/or RDSEED may
0020 be affected.
0021 
0022 A processor is affected by SRBDS if its Family_Model and stepping is
0023 in the following list, with the exception of the listed processors
0024 exporting MDS_NO while Intel TSX is available yet not enabled. The
0025 latter class of processors are only affected when Intel TSX is enabled
0026 by software using TSX_CTRL_MSR otherwise they are not affected.
0027 
0028   =============  ============  ========
0029   common name    Family_Model  Stepping
0030   =============  ============  ========
0031   IvyBridge      06_3AH        All
0032 
0033   Haswell        06_3CH        All
0034   Haswell_L      06_45H        All
0035   Haswell_G      06_46H        All
0036 
0037   Broadwell_G    06_47H        All
0038   Broadwell      06_3DH        All
0039 
0040   Skylake_L      06_4EH        All
0041   Skylake        06_5EH        All
0042 
0043   Kabylake_L     06_8EH        <= 0xC
0044   Kabylake       06_9EH        <= 0xD
0045   =============  ============  ========
0046 
0047 Related CVEs
0048 ------------
0049 
0050 The following CVE entry is related to this SRBDS issue:
0051 
0052     ==============  =====  =====================================
0053     CVE-2020-0543   SRBDS  Special Register Buffer Data Sampling
0054     ==============  =====  =====================================
0055 
0056 Attack scenarios
0057 ----------------
0058 An unprivileged user can extract values returned from RDRAND and RDSEED
0059 executed on another core or sibling thread using MDS techniques.
0060 
0061 
0062 Mitigation mechanism
0063 --------------------
0064 Intel will release microcode updates that modify the RDRAND, RDSEED, and
0065 EGETKEY instructions to overwrite secret special register data in the shared
0066 staging buffer before the secret data can be accessed by another logical
0067 processor.
0068 
0069 During execution of the RDRAND, RDSEED, or EGETKEY instructions, off-core
0070 accesses from other logical processors will be delayed until the special
0071 register read is complete and the secret data in the shared staging buffer is
0072 overwritten.
0073 
0074 This has three effects on performance:
0075 
0076 #. RDRAND, RDSEED, or EGETKEY instructions have higher latency.
0077 
0078 #. Executing RDRAND at the same time on multiple logical processors will be
0079    serialized, resulting in an overall reduction in the maximum RDRAND
0080    bandwidth.
0081 
0082 #. Executing RDRAND, RDSEED or EGETKEY will delay memory accesses from other
0083    logical processors that miss their core caches, with an impact similar to
0084    legacy locked cache-line-split accesses.
0085 
0086 The microcode updates provide an opt-out mechanism (RNGDS_MITG_DIS) to disable
0087 the mitigation for RDRAND and RDSEED instructions executed outside of Intel
0088 Software Guard Extensions (Intel SGX) enclaves. On logical processors that
0089 disable the mitigation using this opt-out mechanism, RDRAND and RDSEED do not
0090 take longer to execute and do not impact performance of sibling logical
0091 processors memory accesses. The opt-out mechanism does not affect Intel SGX
0092 enclaves (including execution of RDRAND or RDSEED inside an enclave, as well
0093 as EGETKEY execution).
0094 
0095 IA32_MCU_OPT_CTRL MSR Definition
0096 --------------------------------
0097 Along with the mitigation for this issue, Intel added a new thread-scope
0098 IA32_MCU_OPT_CTRL MSR, (address 0x123). The presence of this MSR and
0099 RNGDS_MITG_DIS (bit 0) is enumerated by CPUID.(EAX=07H,ECX=0).EDX[SRBDS_CTRL =
0100 9]==1. This MSR is introduced through the microcode update.
0101 
0102 Setting IA32_MCU_OPT_CTRL[0] (RNGDS_MITG_DIS) to 1 for a logical processor
0103 disables the mitigation for RDRAND and RDSEED executed outside of an Intel SGX
0104 enclave on that logical processor. Opting out of the mitigation for a
0105 particular logical processor does not affect the RDRAND and RDSEED mitigations
0106 for other logical processors.
0107 
0108 Note that inside of an Intel SGX enclave, the mitigation is applied regardless
0109 of the value of RNGDS_MITG_DS.
0110 
0111 Mitigation control on the kernel command line
0112 ---------------------------------------------
0113 The kernel command line allows control over the SRBDS mitigation at boot time
0114 with the option "srbds=".  The option for this is:
0115 
0116   ============= =============================================================
0117   off           This option disables SRBDS mitigation for RDRAND and RDSEED on
0118                 affected platforms.
0119   ============= =============================================================
0120 
0121 SRBDS System Information
0122 ------------------------
0123 The Linux kernel provides vulnerability status information through sysfs.  For
0124 SRBDS this can be accessed by the following sysfs file:
0125 /sys/devices/system/cpu/vulnerabilities/srbds
0126 
0127 The possible values contained in this file are:
0128 
0129  ============================== =============================================
0130  Not affected                   Processor not vulnerable
0131  Vulnerable                     Processor vulnerable and mitigation disabled
0132  Vulnerable: No microcode       Processor vulnerable and microcode is missing
0133                                 mitigation
0134  Mitigation: Microcode          Processor is vulnerable and mitigation is in
0135                                 effect.
0136  Mitigation: TSX disabled       Processor is only vulnerable when TSX is
0137                                 enabled while this system was booted with TSX
0138                                 disabled.
0139  Unknown: Dependent on
0140  hypervisor status              Running on virtual guest processor that is
0141                                 affected but with no way to know if host
0142                                 processor is mitigated or vulnerable.
0143  ============================== =============================================
0144 
0145 SRBDS Default mitigation
0146 ------------------------
0147 This new microcode serializes processor access during execution of RDRAND,
0148 RDSEED ensures that the shared buffer is overwritten before it is released for
0149 reuse.  Use the "srbds=off" kernel command line to disable the mitigation for
0150 RDRAND and RDSEED.
Source navigation ] Diff markup ] Identifier search ] general search ]

This page was automatically generated by the 2.1.0 LXR engine.

The LXR team
Valid CSS 2.1! Valid HTML 4.01!