Show Your Support: This site is primarily supported by advertisements. Ads are what have allowed this site to be maintained on a daily basis for the past 18+ years. We do our best to ensure only clean, relevant ads are shown, when any nasty ads are detected, we work to remove them ASAP. If you would like to view the site without ads while still supporting our work, please consider our ad-free Phoronix Premium.
AMD Bulldozer/Jaguar CPUs Will No Longer Advertise RdRand Support Under Linux
The RdRand instruction will still work on capable CPUs, but the CPU ID bit is being cleared so that it won't be advertised for software explicitly checking for the support. Tom Lendacky of AMD resorted to clearing the RDRAND CPU ID bit for 15h/16h processors (no impact for Zen, etc) due to RdRand issues cropping up after suspend/resume. Those issues have affected some users for a while and originate with the original AMD RdRand systemd bug report over problems following that cycle.
The buggy RdRand is being blamed on BIOS implementations not carrying out the proper steps for ensuring RdRand continues to function. But with apparently enough faulty BIOS out there, the RdRand bit will now be cleared for those CPUs to try to stop software from using it -- though any software still doing so, can though could experience the problematic events. The bug has been known for at least five years though only now being acted upon where RdRand could effectively be returning just -1.
If you don't plan to suspend/resume or your system/BIOS is known to be in a good state, there is a new rdrand_force kernel parameter being added to force-enable this support (a.k.a. maintain the status quo).
In response, at least one upstream developer is causing this a security vulnerability that up until now the RdRand could be spewing non-random data and an issue with AMD's RdRand implementation that it could be insecure if not properly programmed by the BIOS.
This change is currently pending via this patch that is likely to end up in the Linux 5.4 cycle though no word yet on the stable back-port outlook.