1*ddfd3855SPawan Gupta================================== 2*ddfd3855SPawan GuptaRegister File Data Sampling (RFDS) 3*ddfd3855SPawan Gupta================================== 4*ddfd3855SPawan Gupta 5*ddfd3855SPawan GuptaRegister File Data Sampling (RFDS) is a microarchitectural vulnerability that 6*ddfd3855SPawan Guptaonly affects Intel Atom parts(also branded as E-cores). RFDS may allow 7*ddfd3855SPawan Guptaa malicious actor to infer data values previously used in floating point 8*ddfd3855SPawan Guptaregisters, vector registers, or integer registers. RFDS does not provide the 9*ddfd3855SPawan Guptaability to choose which data is inferred. CVE-2023-28746 is assigned to RFDS. 10*ddfd3855SPawan Gupta 11*ddfd3855SPawan GuptaAffected Processors 12*ddfd3855SPawan Gupta=================== 13*ddfd3855SPawan GuptaBelow is the list of affected Intel processors [#f1]_: 14*ddfd3855SPawan Gupta 15*ddfd3855SPawan Gupta =================== ============ 16*ddfd3855SPawan Gupta Common name Family_Model 17*ddfd3855SPawan Gupta =================== ============ 18*ddfd3855SPawan Gupta ATOM_GOLDMONT 06_5CH 19*ddfd3855SPawan Gupta ATOM_GOLDMONT_D 06_5FH 20*ddfd3855SPawan Gupta ATOM_GOLDMONT_PLUS 06_7AH 21*ddfd3855SPawan Gupta ATOM_TREMONT_D 06_86H 22*ddfd3855SPawan Gupta ATOM_TREMONT 06_96H 23*ddfd3855SPawan Gupta ALDERLAKE 06_97H 24*ddfd3855SPawan Gupta ALDERLAKE_L 06_9AH 25*ddfd3855SPawan Gupta ATOM_TREMONT_L 06_9CH 26*ddfd3855SPawan Gupta RAPTORLAKE 06_B7H 27*ddfd3855SPawan Gupta RAPTORLAKE_P 06_BAH 28*ddfd3855SPawan Gupta ATOM_GRACEMONT 06_BEH 29*ddfd3855SPawan Gupta RAPTORLAKE_S 06_BFH 30*ddfd3855SPawan Gupta =================== ============ 31*ddfd3855SPawan Gupta 32*ddfd3855SPawan GuptaAs an exception to this table, Intel Xeon E family parts ALDERLAKE(06_97H) and 33*ddfd3855SPawan GuptaRAPTORLAKE(06_B7H) codenamed Catlow are not affected. They are reported as 34*ddfd3855SPawan Guptavulnerable in Linux because they share the same family/model with an affected 35*ddfd3855SPawan Guptapart. Unlike their affected counterparts, they do not enumerate RFDS_CLEAR or 36*ddfd3855SPawan GuptaCPUID.HYBRID. This information could be used to distinguish between the 37*ddfd3855SPawan Guptaaffected and unaffected parts, but it is deemed not worth adding complexity as 38*ddfd3855SPawan Guptathe reporting is fixed automatically when these parts enumerate RFDS_NO. 39*ddfd3855SPawan Gupta 40*ddfd3855SPawan GuptaMitigation 41*ddfd3855SPawan Gupta========== 42*ddfd3855SPawan GuptaIntel released a microcode update that enables software to clear sensitive 43*ddfd3855SPawan Guptainformation using the VERW instruction. Like MDS, RFDS deploys the same 44*ddfd3855SPawan Guptamitigation strategy to force the CPU to clear the affected buffers before an 45*ddfd3855SPawan Guptaattacker can extract the secrets. This is achieved by using the otherwise 46*ddfd3855SPawan Guptaunused and obsolete VERW instruction in combination with a microcode update. 47*ddfd3855SPawan GuptaThe microcode clears the affected CPU buffers when the VERW instruction is 48*ddfd3855SPawan Guptaexecuted. 49*ddfd3855SPawan Gupta 50*ddfd3855SPawan GuptaMitigation points 51*ddfd3855SPawan Gupta----------------- 52*ddfd3855SPawan GuptaVERW is executed by the kernel before returning to user space, and by KVM 53*ddfd3855SPawan Guptabefore VMentry. None of the affected cores support SMT, so VERW is not required 54*ddfd3855SPawan Guptaat C-state transitions. 55*ddfd3855SPawan Gupta 56*ddfd3855SPawan GuptaNew bits in IA32_ARCH_CAPABILITIES 57*ddfd3855SPawan Gupta---------------------------------- 58*ddfd3855SPawan GuptaNewer processors and microcode update on existing affected processors added new 59*ddfd3855SPawan Guptabits to IA32_ARCH_CAPABILITIES MSR. These bits can be used to enumerate 60*ddfd3855SPawan Guptavulnerability and mitigation capability: 61*ddfd3855SPawan Gupta 62*ddfd3855SPawan Gupta- Bit 27 - RFDS_NO - When set, processor is not affected by RFDS. 63*ddfd3855SPawan Gupta- Bit 28 - RFDS_CLEAR - When set, processor is affected by RFDS, and has the 64*ddfd3855SPawan Gupta microcode that clears the affected buffers on VERW execution. 65*ddfd3855SPawan Gupta 66*ddfd3855SPawan GuptaMitigation control on the kernel command line 67*ddfd3855SPawan Gupta--------------------------------------------- 68*ddfd3855SPawan GuptaThe kernel command line allows to control RFDS mitigation at boot time with the 69*ddfd3855SPawan Guptaparameter "reg_file_data_sampling=". The valid arguments are: 70*ddfd3855SPawan Gupta 71*ddfd3855SPawan Gupta ========== ================================================================= 72*ddfd3855SPawan Gupta on If the CPU is vulnerable, enable mitigation; CPU buffer clearing 73*ddfd3855SPawan Gupta on exit to userspace and before entering a VM. 74*ddfd3855SPawan Gupta off Disables mitigation. 75*ddfd3855SPawan Gupta ========== ================================================================= 76*ddfd3855SPawan Gupta 77*ddfd3855SPawan GuptaMitigation default is selected by CONFIG_MITIGATION_RFDS. 78*ddfd3855SPawan Gupta 79*ddfd3855SPawan GuptaMitigation status information 80*ddfd3855SPawan Gupta----------------------------- 81*ddfd3855SPawan GuptaThe Linux kernel provides a sysfs interface to enumerate the current 82*ddfd3855SPawan Guptavulnerability status of the system: whether the system is vulnerable, and 83*ddfd3855SPawan Guptawhich mitigations are active. The relevant sysfs file is: 84*ddfd3855SPawan Gupta 85*ddfd3855SPawan Gupta /sys/devices/system/cpu/vulnerabilities/reg_file_data_sampling 86*ddfd3855SPawan Gupta 87*ddfd3855SPawan GuptaThe possible values in this file are: 88*ddfd3855SPawan Gupta 89*ddfd3855SPawan Gupta .. list-table:: 90*ddfd3855SPawan Gupta 91*ddfd3855SPawan Gupta * - 'Not affected' 92*ddfd3855SPawan Gupta - The processor is not vulnerable 93*ddfd3855SPawan Gupta * - 'Vulnerable' 94*ddfd3855SPawan Gupta - The processor is vulnerable, but no mitigation enabled 95*ddfd3855SPawan Gupta * - 'Vulnerable: No microcode' 96*ddfd3855SPawan Gupta - The processor is vulnerable but microcode is not updated. 97*ddfd3855SPawan Gupta * - 'Mitigation: Clear Register File' 98*ddfd3855SPawan Gupta - The processor is vulnerable and the CPU buffer clearing mitigation is 99*ddfd3855SPawan Gupta enabled. 100*ddfd3855SPawan Gupta 101*ddfd3855SPawan GuptaReferences 102*ddfd3855SPawan Gupta---------- 103*ddfd3855SPawan Gupta.. [#f1] Affected Processors 104*ddfd3855SPawan Gupta https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html 105