17222a1b5SMark Gross.. SPDX-License-Identifier: GPL-2.0 27222a1b5SMark Gross 37222a1b5SMark GrossSRBDS - Special Register Buffer Data Sampling 47222a1b5SMark Gross============================================= 57222a1b5SMark Gross 6*e499f4c2SMauro Carvalho ChehabSRBDS is a hardware vulnerability that allows MDS 7*e499f4c2SMauro Carvalho ChehabDocumentation/admin-guide/hw-vuln/mds.rst techniques to 87222a1b5SMark Grossinfer values returned from special register accesses. Special register 97222a1b5SMark Grossaccesses are accesses to off core registers. According to Intel's evaluation, 107222a1b5SMark Grossthe special register reads that have a security expectation of privacy are 117222a1b5SMark GrossRDRAND, RDSEED and SGX EGETKEY. 127222a1b5SMark Gross 137222a1b5SMark GrossWhen RDRAND, RDSEED and EGETKEY instructions are used, the data is moved 147222a1b5SMark Grossto the core through the special register mechanism that is susceptible 157222a1b5SMark Grossto MDS attacks. 167222a1b5SMark Gross 177222a1b5SMark GrossAffected processors 1810857a01SHeinrich Schuchardt------------------- 197222a1b5SMark GrossCore models (desktop, mobile, Xeon-E3) that implement RDRAND and/or RDSEED may 207222a1b5SMark Grossbe affected. 217222a1b5SMark Gross 227222a1b5SMark GrossA processor is affected by SRBDS if its Family_Model and stepping is 237222a1b5SMark Grossin the following list, with the exception of the listed processors 247222a1b5SMark Grossexporting MDS_NO while Intel TSX is available yet not enabled. The 257222a1b5SMark Grosslatter class of processors are only affected when Intel TSX is enabled 267222a1b5SMark Grossby software using TSX_CTRL_MSR otherwise they are not affected. 277222a1b5SMark Gross 287222a1b5SMark Gross ============= ============ ======== 297222a1b5SMark Gross common name Family_Model Stepping 307222a1b5SMark Gross ============= ============ ======== 313798cc4dSJosh Poimboeuf IvyBridge 06_3AH All 323798cc4dSJosh Poimboeuf 337222a1b5SMark Gross Haswell 06_3CH All 347222a1b5SMark Gross Haswell_L 06_45H All 357222a1b5SMark Gross Haswell_G 06_46H All 367222a1b5SMark Gross 377222a1b5SMark Gross Broadwell_G 06_47H All 387222a1b5SMark Gross Broadwell 06_3DH All 397222a1b5SMark Gross 407222a1b5SMark Gross Skylake_L 06_4EH All 417222a1b5SMark Gross Skylake 06_5EH All 427222a1b5SMark Gross 437222a1b5SMark Gross Kabylake_L 06_8EH <= 0xC 447222a1b5SMark Gross Kabylake 06_9EH <= 0xD 457222a1b5SMark Gross ============= ============ ======== 467222a1b5SMark Gross 477222a1b5SMark GrossRelated CVEs 487222a1b5SMark Gross------------ 497222a1b5SMark Gross 507222a1b5SMark GrossThe following CVE entry is related to this SRBDS issue: 517222a1b5SMark Gross 527222a1b5SMark Gross ============== ===== ===================================== 537222a1b5SMark Gross CVE-2020-0543 SRBDS Special Register Buffer Data Sampling 547222a1b5SMark Gross ============== ===== ===================================== 557222a1b5SMark Gross 567222a1b5SMark GrossAttack scenarios 577222a1b5SMark Gross---------------- 587222a1b5SMark GrossAn unprivileged user can extract values returned from RDRAND and RDSEED 597222a1b5SMark Grossexecuted on another core or sibling thread using MDS techniques. 607222a1b5SMark Gross 617222a1b5SMark Gross 627222a1b5SMark GrossMitigation mechanism 6310857a01SHeinrich Schuchardt-------------------- 647222a1b5SMark GrossIntel will release microcode updates that modify the RDRAND, RDSEED, and 657222a1b5SMark GrossEGETKEY instructions to overwrite secret special register data in the shared 667222a1b5SMark Grossstaging buffer before the secret data can be accessed by another logical 677222a1b5SMark Grossprocessor. 687222a1b5SMark Gross 697222a1b5SMark GrossDuring execution of the RDRAND, RDSEED, or EGETKEY instructions, off-core 707222a1b5SMark Grossaccesses from other logical processors will be delayed until the special 717222a1b5SMark Grossregister read is complete and the secret data in the shared staging buffer is 727222a1b5SMark Grossoverwritten. 737222a1b5SMark Gross 747222a1b5SMark GrossThis has three effects on performance: 757222a1b5SMark Gross 767222a1b5SMark Gross#. RDRAND, RDSEED, or EGETKEY instructions have higher latency. 777222a1b5SMark Gross 787222a1b5SMark Gross#. Executing RDRAND at the same time on multiple logical processors will be 797222a1b5SMark Gross serialized, resulting in an overall reduction in the maximum RDRAND 807222a1b5SMark Gross bandwidth. 817222a1b5SMark Gross 827222a1b5SMark Gross#. Executing RDRAND, RDSEED or EGETKEY will delay memory accesses from other 837222a1b5SMark Gross logical processors that miss their core caches, with an impact similar to 847222a1b5SMark Gross legacy locked cache-line-split accesses. 857222a1b5SMark Gross 867222a1b5SMark GrossThe microcode updates provide an opt-out mechanism (RNGDS_MITG_DIS) to disable 877222a1b5SMark Grossthe mitigation for RDRAND and RDSEED instructions executed outside of Intel 887222a1b5SMark GrossSoftware Guard Extensions (Intel SGX) enclaves. On logical processors that 897222a1b5SMark Grossdisable the mitigation using this opt-out mechanism, RDRAND and RDSEED do not 907222a1b5SMark Grosstake longer to execute and do not impact performance of sibling logical 917222a1b5SMark Grossprocessors memory accesses. The opt-out mechanism does not affect Intel SGX 927222a1b5SMark Grossenclaves (including execution of RDRAND or RDSEED inside an enclave, as well 937222a1b5SMark Grossas EGETKEY execution). 947222a1b5SMark Gross 957222a1b5SMark GrossIA32_MCU_OPT_CTRL MSR Definition 967222a1b5SMark Gross-------------------------------- 977222a1b5SMark GrossAlong with the mitigation for this issue, Intel added a new thread-scope 987222a1b5SMark GrossIA32_MCU_OPT_CTRL MSR, (address 0x123). The presence of this MSR and 997222a1b5SMark GrossRNGDS_MITG_DIS (bit 0) is enumerated by CPUID.(EAX=07H,ECX=0).EDX[SRBDS_CTRL = 1007222a1b5SMark Gross9]==1. This MSR is introduced through the microcode update. 1017222a1b5SMark Gross 1027222a1b5SMark GrossSetting IA32_MCU_OPT_CTRL[0] (RNGDS_MITG_DIS) to 1 for a logical processor 1037222a1b5SMark Grossdisables the mitigation for RDRAND and RDSEED executed outside of an Intel SGX 1047222a1b5SMark Grossenclave on that logical processor. Opting out of the mitigation for a 1057222a1b5SMark Grossparticular logical processor does not affect the RDRAND and RDSEED mitigations 1067222a1b5SMark Grossfor other logical processors. 1077222a1b5SMark Gross 1087222a1b5SMark GrossNote that inside of an Intel SGX enclave, the mitigation is applied regardless 1097222a1b5SMark Grossof the value of RNGDS_MITG_DS. 1107222a1b5SMark Gross 1117222a1b5SMark GrossMitigation control on the kernel command line 1127222a1b5SMark Gross--------------------------------------------- 1137222a1b5SMark GrossThe kernel command line allows control over the SRBDS mitigation at boot time 1147222a1b5SMark Grosswith the option "srbds=". The option for this is: 1157222a1b5SMark Gross 1167222a1b5SMark Gross ============= ============================================================= 1177222a1b5SMark Gross off This option disables SRBDS mitigation for RDRAND and RDSEED on 1187222a1b5SMark Gross affected platforms. 1197222a1b5SMark Gross ============= ============================================================= 1207222a1b5SMark Gross 1217222a1b5SMark GrossSRBDS System Information 12210857a01SHeinrich Schuchardt------------------------ 1237222a1b5SMark GrossThe Linux kernel provides vulnerability status information through sysfs. For 1247222a1b5SMark GrossSRBDS this can be accessed by the following sysfs file: 1257222a1b5SMark Gross/sys/devices/system/cpu/vulnerabilities/srbds 1267222a1b5SMark Gross 1277222a1b5SMark GrossThe possible values contained in this file are: 1287222a1b5SMark Gross 1297222a1b5SMark Gross ============================== ============================================= 1307222a1b5SMark Gross Not affected Processor not vulnerable 1317222a1b5SMark Gross Vulnerable Processor vulnerable and mitigation disabled 1327222a1b5SMark Gross Vulnerable: No microcode Processor vulnerable and microcode is missing 1337222a1b5SMark Gross mitigation 1347222a1b5SMark Gross Mitigation: Microcode Processor is vulnerable and mitigation is in 1357222a1b5SMark Gross effect. 1367222a1b5SMark Gross Mitigation: TSX disabled Processor is only vulnerable when TSX is 1377222a1b5SMark Gross enabled while this system was booted with TSX 1387222a1b5SMark Gross disabled. 1397222a1b5SMark Gross Unknown: Dependent on 1407222a1b5SMark Gross hypervisor status Running on virtual guest processor that is 1417222a1b5SMark Gross affected but with no way to know if host 1427222a1b5SMark Gross processor is mitigated or vulnerable. 1437222a1b5SMark Gross ============================== ============================================= 1447222a1b5SMark Gross 1457222a1b5SMark GrossSRBDS Default mitigation 1467222a1b5SMark Gross------------------------ 1477222a1b5SMark GrossThis new microcode serializes processor access during execution of RDRAND, 1487222a1b5SMark GrossRDSEED ensures that the shared buffer is overwritten before it is released for 1497222a1b5SMark Grossreuse. Use the "srbds=off" kernel command line to disable the mitigation for 1507222a1b5SMark GrossRDRAND and RDSEED. 151