Kernel ASI Still Being Worked On For Protecting Against Hyper Threading Data Leaks

Written by Michael Larabel in Linux Security on 26 August 2020 at 02:00 PM EDT. Add A Comment
LINUX SECURITY
At this week's Linux Plumbers Conference there were DigitalOcean engineers providing an update on their CoreScheduling work in the era of vulnerabilities affecting Hyper Threading. Oracle meanwhile presented today at LPC2020 on their Kernel Address Space Isolation (ASI) functionality for dealing with Hyper Threading data leakage in a different manner, but the performance costs are still being evaluated.

Oracle engineers for more than one year have been working on Kernel ASI to prevent data leakage when Hyper Threading is vulnerable from the likes of L1 Terminal Fault (L1TF) on Intel CPUs. Where as DigitalOcean's work on core scheduling is about ensuring only trusted applications are on sibling threads of a core, ASI is about isolating the address space between different areas of the kernel to prevent leaking bits as a result of attacks like L1TF or Foreshadow.

One of the main areas of interest to Oracle with Address Space Isolation is for the Kernel-based Virtual Machine (KVM) virtualization for ensuring no address space leakage between guest VMs or of the host. Oracle though acknowledges that core scheduling is best for mitigating guest-to-guest attacks or ensuring guest VMs don't share physical cores while ASI is more in line with mitigating guest-to-host attacks.

A fifth version of Oracle's Address Space Isolation for the Linux kernel is being prepared. With that forthcoming patch series is the KVM ASI integration as well as ASI Lockdown. ASI Lockdown forces all CPU threads from a CPU core to use a specified ASI.

The developers feel the core ASI code is now stable but further testing on ASI Lockdown and KVM ASI are still needed. Somewhat worrisome is that the performance impact of KPTI and KVM is still needed to see the performance costs for this layer of protection.


The LPC2020 slide deck providing the update on ASI can be found here (PDF).
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week