|
| 1 | +========================================= |
| 2 | +Processor MMIO Stale Data Vulnerabilities |
| 3 | +========================================= |
| 4 | + |
| 5 | +Processor MMIO Stale Data Vulnerabilities are a class of memory-mapped I/O |
| 6 | +(MMIO) vulnerabilities that can expose data. The sequences of operations for |
| 7 | +exposing data range from simple to very complex. Because most of the |
| 8 | +vulnerabilities require the attacker to have access to MMIO, many environments |
| 9 | +are not affected. System environments using virtualization where MMIO access is |
| 10 | +provided to untrusted guests may need mitigation. These vulnerabilities are |
| 11 | +not transient execution attacks. However, these vulnerabilities may propagate |
| 12 | +stale data into core fill buffers where the data can subsequently be inferred |
| 13 | +by an unmitigated transient execution attack. Mitigation for these |
| 14 | +vulnerabilities includes a combination of microcode update and software |
| 15 | +changes, depending on the platform and usage model. Some of these mitigations |
| 16 | +are similar to those used to mitigate Microarchitectural Data Sampling (MDS) or |
| 17 | +those used to mitigate Special Register Buffer Data Sampling (SRBDS). |
| 18 | + |
| 19 | +Data Propagators |
| 20 | +================ |
| 21 | +Propagators are operations that result in stale data being copied or moved from |
| 22 | +one microarchitectural buffer or register to another. Processor MMIO Stale Data |
| 23 | +Vulnerabilities are operations that may result in stale data being directly |
| 24 | +read into an architectural, software-visible state or sampled from a buffer or |
| 25 | +register. |
| 26 | + |
| 27 | +Fill Buffer Stale Data Propagator (FBSDP) |
| 28 | +----------------------------------------- |
| 29 | +Stale data may propagate from fill buffers (FB) into the non-coherent portion |
| 30 | +of the uncore on some non-coherent writes. Fill buffer propagation by itself |
| 31 | +does not make stale data architecturally visible. Stale data must be propagated |
| 32 | +to a location where it is subject to reading or sampling. |
| 33 | + |
| 34 | +Sideband Stale Data Propagator (SSDP) |
| 35 | +------------------------------------- |
| 36 | +The sideband stale data propagator (SSDP) is limited to the client (including |
| 37 | +Intel Xeon server E3) uncore implementation. The sideband response buffer is |
| 38 | +shared by all client cores. For non-coherent reads that go to sideband |
| 39 | +destinations, the uncore logic returns 64 bytes of data to the core, including |
| 40 | +both requested data and unrequested stale data, from a transaction buffer and |
| 41 | +the sideband response buffer. As a result, stale data from the sideband |
| 42 | +response and transaction buffers may now reside in a core fill buffer. |
| 43 | + |
| 44 | +Primary Stale Data Propagator (PSDP) |
| 45 | +------------------------------------ |
| 46 | +The primary stale data propagator (PSDP) is limited to the client (including |
| 47 | +Intel Xeon server E3) uncore implementation. Similar to the sideband response |
| 48 | +buffer, the primary response buffer is shared by all client cores. For some |
| 49 | +processors, MMIO primary reads will return 64 bytes of data to the core fill |
| 50 | +buffer including both requested data and unrequested stale data. This is |
| 51 | +similar to the sideband stale data propagator. |
| 52 | + |
| 53 | +Vulnerabilities |
| 54 | +=============== |
| 55 | +Device Register Partial Write (DRPW) (CVE-2022-21166) |
| 56 | +----------------------------------------------------- |
| 57 | +Some endpoint MMIO registers incorrectly handle writes that are smaller than |
| 58 | +the register size. Instead of aborting the write or only copying the correct |
| 59 | +subset of bytes (for example, 2 bytes for a 2-byte write), more bytes than |
| 60 | +specified by the write transaction may be written to the register. On |
| 61 | +processors affected by FBSDP, this may expose stale data from the fill buffers |
| 62 | +of the core that created the write transaction. |
| 63 | + |
| 64 | +Shared Buffers Data Sampling (SBDS) (CVE-2022-21125) |
| 65 | +---------------------------------------------------- |
| 66 | +After propagators may have moved data around the uncore and copied stale data |
| 67 | +into client core fill buffers, processors affected by MFBDS can leak data from |
| 68 | +the fill buffer. It is limited to the client (including Intel Xeon server E3) |
| 69 | +uncore implementation. |
| 70 | + |
| 71 | +Shared Buffers Data Read (SBDR) (CVE-2022-21123) |
| 72 | +------------------------------------------------ |
| 73 | +It is similar to Shared Buffer Data Sampling (SBDS) except that the data is |
| 74 | +directly read into the architectural software-visible state. It is limited to |
| 75 | +the client (including Intel Xeon server E3) uncore implementation. |
| 76 | + |
| 77 | +Affected Processors |
| 78 | +=================== |
| 79 | +Not all the CPUs are affected by all the variants. For instance, most |
| 80 | +processors for the server market (excluding Intel Xeon E3 processors) are |
| 81 | +impacted by only Device Register Partial Write (DRPW). |
| 82 | + |
| 83 | +Below is the list of affected Intel processors [#f1]_: |
| 84 | + |
| 85 | + =================== ============ ========= |
| 86 | + Common name Family_Model Steppings |
| 87 | + =================== ============ ========= |
| 88 | + HASWELL_X 06_3FH 2,4 |
| 89 | + SKYLAKE_L 06_4EH 3 |
| 90 | + BROADWELL_X 06_4FH All |
| 91 | + SKYLAKE_X 06_55H 3,4,6,7,11 |
| 92 | + BROADWELL_D 06_56H 3,4,5 |
| 93 | + SKYLAKE 06_5EH 3 |
| 94 | + ICELAKE_X 06_6AH 4,5,6 |
| 95 | + ICELAKE_D 06_6CH 1 |
| 96 | + ICELAKE_L 06_7EH 5 |
| 97 | + ATOM_TREMONT_D 06_86H All |
| 98 | + LAKEFIELD 06_8AH 1 |
| 99 | + KABYLAKE_L 06_8EH 9 to 12 |
| 100 | + ATOM_TREMONT 06_96H 1 |
| 101 | + ATOM_TREMONT_L 06_9CH 0 |
| 102 | + KABYLAKE 06_9EH 9 to 13 |
| 103 | + COMETLAKE 06_A5H 2,3,5 |
| 104 | + COMETLAKE_L 06_A6H 0,1 |
| 105 | + ROCKETLAKE 06_A7H 1 |
| 106 | + =================== ============ ========= |
| 107 | + |
| 108 | +If a CPU is in the affected processor list, but not affected by a variant, it |
| 109 | +is indicated by new bits in MSR IA32_ARCH_CAPABILITIES. As described in a later |
| 110 | +section, mitigation largely remains the same for all the variants, i.e. to |
| 111 | +clear the CPU fill buffers via VERW instruction. |
| 112 | + |
| 113 | +New bits in MSRs |
| 114 | +================ |
| 115 | +Newer processors and microcode update on existing affected processors added new |
| 116 | +bits to IA32_ARCH_CAPABILITIES MSR. These bits can be used to enumerate |
| 117 | +specific variants of Processor MMIO Stale Data vulnerabilities and mitigation |
| 118 | +capability. |
| 119 | + |
| 120 | +MSR IA32_ARCH_CAPABILITIES |
| 121 | +-------------------------- |
| 122 | +Bit 13 - SBDR_SSDP_NO - When set, processor is not affected by either the |
| 123 | + Shared Buffers Data Read (SBDR) vulnerability or the sideband stale |
| 124 | + data propagator (SSDP). |
| 125 | +Bit 14 - FBSDP_NO - When set, processor is not affected by the Fill Buffer |
| 126 | + Stale Data Propagator (FBSDP). |
| 127 | +Bit 15 - PSDP_NO - When set, processor is not affected by Primary Stale Data |
| 128 | + Propagator (PSDP). |
| 129 | +Bit 17 - FB_CLEAR - When set, VERW instruction will overwrite CPU fill buffer |
| 130 | + values as part of MD_CLEAR operations. Processors that do not |
| 131 | + enumerate MDS_NO (meaning they are affected by MDS) but that do |
| 132 | + enumerate support for both L1D_FLUSH and MD_CLEAR implicitly enumerate |
| 133 | + FB_CLEAR as part of their MD_CLEAR support. |
| 134 | +Bit 18 - FB_CLEAR_CTRL - Processor supports read and write to MSR |
| 135 | + IA32_MCU_OPT_CTRL[FB_CLEAR_DIS]. On such processors, the FB_CLEAR_DIS |
| 136 | + bit can be set to cause the VERW instruction to not perform the |
| 137 | + FB_CLEAR action. Not all processors that support FB_CLEAR will support |
| 138 | + FB_CLEAR_CTRL. |
| 139 | + |
| 140 | +MSR IA32_MCU_OPT_CTRL |
| 141 | +--------------------- |
| 142 | +Bit 3 - FB_CLEAR_DIS - When set, VERW instruction does not perform the FB_CLEAR |
| 143 | +action. This may be useful to reduce the performance impact of FB_CLEAR in |
| 144 | +cases where system software deems it warranted (for example, when performance |
| 145 | +is more critical, or the untrusted software has no MMIO access). Note that |
| 146 | +FB_CLEAR_DIS has no impact on enumeration (for example, it does not change |
| 147 | +FB_CLEAR or MD_CLEAR enumeration) and it may not be supported on all processors |
| 148 | +that enumerate FB_CLEAR. |
| 149 | + |
| 150 | +Mitigation |
| 151 | +========== |
| 152 | +Like MDS, all variants of Processor MMIO Stale Data vulnerabilities have the |
| 153 | +same mitigation strategy to force the CPU to clear the affected buffers before |
| 154 | +an attacker can extract the secrets. |
| 155 | + |
| 156 | +This is achieved by using the otherwise unused and obsolete VERW instruction in |
| 157 | +combination with a microcode update. The microcode clears the affected CPU |
| 158 | +buffers when the VERW instruction is executed. |
| 159 | + |
| 160 | +Kernel reuses the MDS function to invoke the buffer clearing: |
| 161 | + |
| 162 | + mds_clear_cpu_buffers() |
| 163 | + |
| 164 | +On MDS affected CPUs, the kernel already invokes CPU buffer clear on |
| 165 | +kernel/userspace, hypervisor/guest and C-state (idle) transitions. No |
| 166 | +additional mitigation is needed on such CPUs. |
| 167 | + |
| 168 | +For CPUs not affected by MDS or TAA, mitigation is needed only for the attacker |
| 169 | +with MMIO capability. Therefore, VERW is not required for kernel/userspace. For |
| 170 | +virtualization case, VERW is only needed at VMENTER for a guest with MMIO |
| 171 | +capability. |
| 172 | + |
| 173 | +Mitigation points |
| 174 | +----------------- |
| 175 | +Return to user space |
| 176 | +^^^^^^^^^^^^^^^^^^^^ |
| 177 | +Same mitigation as MDS when affected by MDS/TAA, otherwise no mitigation |
| 178 | +needed. |
| 179 | + |
| 180 | +C-State transition |
| 181 | +^^^^^^^^^^^^^^^^^^ |
| 182 | +Control register writes by CPU during C-state transition can propagate data |
| 183 | +from fill buffer to uncore buffers. Execute VERW before C-state transition to |
| 184 | +clear CPU fill buffers. |
| 185 | + |
| 186 | +Guest entry point |
| 187 | +^^^^^^^^^^^^^^^^^ |
| 188 | +Same mitigation as MDS when processor is also affected by MDS/TAA, otherwise |
| 189 | +execute VERW at VMENTER only for MMIO capable guests. On CPUs not affected by |
| 190 | +MDS/TAA, guest without MMIO access cannot extract secrets using Processor MMIO |
| 191 | +Stale Data vulnerabilities, so there is no need to execute VERW for such guests. |
| 192 | + |
| 193 | +Mitigation control on the kernel command line |
| 194 | +--------------------------------------------- |
| 195 | +The kernel command line allows to control the Processor MMIO Stale Data |
| 196 | +mitigations at boot time with the option "mmio_stale_data=". The valid |
| 197 | +arguments for this option are: |
| 198 | + |
| 199 | + ========== ================================================================= |
| 200 | + full If the CPU is vulnerable, enable mitigation; CPU buffer clearing |
| 201 | + on exit to userspace and when entering a VM. Idle transitions are |
| 202 | + protected as well. It does not automatically disable SMT. |
| 203 | + full,nosmt Same as full, with SMT disabled on vulnerable CPUs. This is the |
| 204 | + complete mitigation. |
| 205 | + off Disables mitigation completely. |
| 206 | + ========== ================================================================= |
| 207 | + |
| 208 | +If the CPU is affected and mmio_stale_data=off is not supplied on the kernel |
| 209 | +command line, then the kernel selects the appropriate mitigation. |
| 210 | + |
| 211 | +Mitigation status information |
| 212 | +----------------------------- |
| 213 | +The Linux kernel provides a sysfs interface to enumerate the current |
| 214 | +vulnerability status of the system: whether the system is vulnerable, and |
| 215 | +which mitigations are active. The relevant sysfs file is: |
| 216 | + |
| 217 | + /sys/devices/system/cpu/vulnerabilities/mmio_stale_data |
| 218 | + |
| 219 | +The possible values in this file are: |
| 220 | + |
| 221 | + .. list-table:: |
| 222 | + |
| 223 | + * - 'Not affected' |
| 224 | + - The processor is not vulnerable |
| 225 | + * - 'Vulnerable' |
| 226 | + - The processor is vulnerable, but no mitigation enabled |
| 227 | + * - 'Vulnerable: Clear CPU buffers attempted, no microcode' |
| 228 | + - The processor is vulnerable, but microcode is not updated. The |
| 229 | + mitigation is enabled on a best effort basis. |
| 230 | + * - 'Mitigation: Clear CPU buffers' |
| 231 | + - The processor is vulnerable and the CPU buffer clearing mitigation is |
| 232 | + enabled. |
| 233 | + |
| 234 | +If the processor is vulnerable then the following information is appended to |
| 235 | +the above information: |
| 236 | + |
| 237 | + ======================== =========================================== |
| 238 | + 'SMT vulnerable' SMT is enabled |
| 239 | + 'SMT disabled' SMT is disabled |
| 240 | + 'SMT Host state unknown' Kernel runs in a VM, Host SMT state unknown |
| 241 | + ======================== =========================================== |
| 242 | + |
| 243 | +References |
| 244 | +---------- |
| 245 | +.. [#f1] Affected Processors |
| 246 | + https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html |
0 commit comments