Special Register Buffer Data Sampling

Solution Verified - Updated -

Issue

Red Hat has been made aware, by our hardware partners, of a new domain bypass transient execution attack known as Special Register Buffer Data Sampling (SRBDS) that may allow data values from special registers to be leaked by an attacker able to execute code on any core of the CPU. This issue only affects certain Intel client processors and Intel Xeon E3 processors.

This issue has been assigned CVE-2020-0543 and Red Hat has rated the severity impact as Moderate.

An unprivileged, local attacker can use this flaw to infer values returned by affected instructions known to be commonly used during cryptographic operations that rely on uniqueness, secrecy, or both.

Background

Certain instructions (such as RDRAND) need to read data from outside the physical core on a microarchitectural level (for example, from a random number generator shared between cores) using an internal microarchitectural operation called a special register read.

On affected processors, data returned via special register read operation is stored in a processor-wide shared buffer that is usually larger than the data returned. Also, different special register read operations may use different portions of that shared buffer.

On transfer of data from the processor-wide shared buffer to per-core buffer, all content is copied, not only the result from the core initiated special register read operation. This potentially results in copying stale data from previous reads on different cores.

As such, an unprivileged local attacker can use this flaw to infer these stale values.

Affected instructions that rely on return value secrecy:

  • RDRAND
  • RDSEED
  • SGX EGETKEY

Mitigation

This vulnerability is only mitigated through microcode updates. If there are performance concerns, kernel updates will be made available in the coming weeks to provide customers with the ability to disable the microcode mitigation.

Performance impact

The microcode mitigation for SRBDS may cause a performance impact on Intel CPUs identified by the CVE for applications that use the RDRAND, RDSEED, or EGETKEY instructions. Most applications should see little to no impact unless they repeatedly use one of those instructions in hot code paths.

The performance impact can be felt in several ways. One is the individual RDRAND, RDSEED, or EGETKEY instruction times are slower. The other is that when executing those instructions, threads running on other processors may be impacted as well.

Because the RDRAND, RDSEED, or EGETKEY instructions tend not to be called repeatedly, Red Hat's application testing mostly showed impact in the 0 to low single-digit percentile range.

Red Hat will make kernels available that will provide SRBDS mitigation status and an ability to control it.

These include:

  • a new /sys/devices/system/cpu/vulnerabilities/srbds file which reports whether the system CPUs are affected or if they are properly mitigated
  • a new srbds=off kernel command line option, which disables the mitigation and restores performance. The SRBDS mitigation will also be disabled using the existing "mitigations=off" kernel command line flag.

Until updated kernels are available, reverting the microcode update to the previous version (and thus effectively removing the SRBDS mitigation) also restores performance.

Affected Products

Red Hat Product Security has rated this update as having a security impact of Moderate.

The following Red Hat product versions are impacted:

  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8

The following Red Hat products will not be fixed due to being outside of their support window:

  • Red Hat Enterprise Linux 5

Refer to the Red Hat Enterprise Linux Life Cycle for more information on Red Hat out of support policies.

To protect the host system from malicious containers, ensure that the host system runs up-to-date packages. Although Red Hat's KVM virtualization guests may not be directly impacted by host vulnerabilities, their security generally depends on hypervisor support and on the integrity of the host environment. To protect KVM virtualization guests from exploits of this vulnerability, ensure that the host and guest systems both run up-to-date packages.

Affected Configurations

This issue only affects certain Intel client processors and Intel Xeon E3 processors.

See also:

Resolution

Red Hat customers running affected versions of Red Hat products are recommended to update them as soon as errata are available. Customers are advised to apply the appropriate updates immediately and reboot to mitigate this flaw correctly.

Acknowledgements

Red Hat thanks Intel and industry partners for reporting this issue and collaborating on the mitigations.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.