New Intel CPU Microcode & "RFDS" Linux Kernel Patch For New Security Vulnerabilities

Written by Michael Larabel in Intel on 12 March 2024 at 01:50 PM EDT. 6 Comments
INTEL
Intel has released new CPU microcode for addressing five security issues and additionally there is newly-merged Linux kernel code for mitigating the new Register File Data Sampling "RFDS" micro-architectural vulnerability affecting Atom / E cores.

Intel released updated processor microcode for mitigating SA-00972, SA-00982, SA-00898, SA-00960, and SA-01045. These security advisories are providing mitigations for an Intel Processor Bus Lock issue leading to a potential denial of service, an information disclosure vector via processor return predictions, the medium-rated RFDS vulnerability and a 3rd/4th Gen Xeon SGX/TDX escalation of privilege vulnerability.

Plus the new CPU microcode has updates for unspecified functional issues ranging from Core Ultra "Meteor Lake" back through 7th Gen Core processors as well as 4th Gen Xeon Scalable through 2nd Gen Xeon Scalable processors. This microcode drop is also the first time Intel is publishing new CPU microcode files for Meteor Lake and Emerald Rapids processors.

The new Intel CPU microcode files are available for download from GitHub.

Meanwhile merged to Linux Git is the RFDS mitigation for Register File Data Sampling. This vulnerability is around a malicious user-space being able to infer stale register values from kernel space. Due to the possibility of kernel registers having secrets, the mitigation is about clearing the values in the registers right before returning to user-space.

Alder Lake CPU


Register File Data Data Sampling affects Intel Atom / E cores from Goldmont, Tremont, Alder Lake, Raptor Lake, and Gracemont cores.
Mitigation
==========
Intel released a microcode update that enables software to clear sensitive information using the VERW instruction. Like MDS, RFDS deploys the same mitigation strategy to force the CPU to clear the affected buffers before an attacker can extract the secrets. This is achieved by using the otherwise unused and obsolete VERW instruction in combination with a microcode update. The microcode clears the affected CPU buffers when the VERW instruction is executed.

Mitigation points
-----------------
VERW is executed by the kernel before returning to user space, and by KVM before VMentry. None of the affected cores support SMT, so VERW is not required at C-state transitions.

We'll see if any of the microcode changes result in any performance changes on affected generations. Still digging through the advisories due to not being briefed in advance.
6 Comments
Related News
Rework For Intel CPU Model Handling To Land With Linux 6.10
Linux 6.10 Adding Intel Low-Latency Hint To Aggressively Boost GT Frequency For GPU Compute
Intel Releases OpenVINO 2024.1 With More Gen AI & LLM Features
Intel ANV Vulkan Driver Enables VK_KHR_shader_float_controls2
Intel Has Many Improvements For The Xe Graphics Driver In Linux 6.10
Intel Enabling Linux Driver Display Support For Upcoming "Battlemage" GPUs
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
Fedora Linux 40 Available For Download As A Wonderful Upgrade
AMD: "Additional Parts Of The Radeon Stack To Be Open Sourced Throughout The Year"
Mozilla Finally Begins Offering Firefox ARM64 Linux Binaries
Linux 6.10 Preps A Kernel Panic Screen - Sort Of A "Blue Screen of Death"
GNU Portability Library's Tool Rewritten In Python For 8~100x Better Performance
Godot's Vulkan Backend Seeing Better Performance, 10~20% Reduction In Frame Times
GNOME Working To Make Key Rack A Viable Password Manager, Better Printing For Flatpaks
Systemd 256-rc1 Brings A Huge Number Of New Features