- Oct 30, 2023
-
-
commit 8974eb58 upstream Gather Data Sampling (GDS) is a hardware vulnerability which allows unprivileged speculative access to data which was previously stored in vector registers. Intel processors that support AVX2 and AVX512 have gather instructions that fetch non-contiguous data elements from memory. On vulnerable hardware, when a gather instruction is transiently executed and encounters a fault, stale data from architectural or internal vector registers may get transiently stored to the destination vector register allowing an attacker to infer the stale data using typical side channel techniques like cache timing attacks. This mitigation is different from many earlier ones for two reasons. First, it is enabled by default and a bit must be set to *DISABLE* it. This is the opposite of normal mitigation polarity. This means GDS can be mitigated simply by updating microcode and leaving the new control bit alone. Second, GDS has a "lock" bit. This lock bit is there because the mitigation affects the hardware security features KeyLocker and SGX. It needs to be enabled and *STAY* enabled for these features to be mitigated against GDS. The mitigation is enabled in the microcode by default. Disable it by setting gather_data_sampling=off or by disabling all mitigations with mitigations=off. The mitigation status can be checked by reading: /sys/devices/system/cpu/vulnerabilities/gather_data_sampling Signed-off-by:
Daniel Sneddon <daniel.sneddon@linux.intel.com> Signed-off-by:
Dave Hansen <dave.hansen@linux.intel.com> Acked-by:
Josh Poimboeuf <jpoimboe@kernel.org> Signed-off-by:
Daniel Sneddon <daniel.sneddon@linux.intel.com> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
- Mar 16, 2023
-
-
commit 44194701 upstream Add the admin guide for Processor MMIO stale data vulnerabilities. Signed-off-by:
Pawan Gupta <pawan.kumar.gupta@linux.intel.com> Signed-off-by:
Borislav Petkov <bp@suse.de> Signed-off-by:
Thomas Gleixner <tglx@linutronix.de> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
- Jun 10, 2020
-
-
Mark Gross authored
commit 7222a1b5 upstream Add documentation for the SRBDS vulnerability and its mitigation. [ bp: Massage. jpoimboe: sysfs table strings. ] Signed-off-by:
Mark Gross <mgross@linux.intel.com> Signed-off-by:
Borislav Petkov <bp@suse.de> Reviewed-by:
Tony Luck <tony.luck@intel.com> Reviewed-by:
Josh Poimboeuf <jpoimboe@redhat.com> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
- Nov 04, 2019
-
-
Gomez Iglesias, Antonio authored
Add the initial ITLB_MULTIHIT documentation. [ tglx: Add it to the index so it gets actually built. ] Signed-off-by:
Antonio Gomez Iglesias <antonio.gomez.iglesias@intel.com> Signed-off-by:
Nelson D'Souza <nelson.dsouza@linux.intel.com> Signed-off-by:
Paolo Bonzini <pbonzini@redhat.com> Signed-off-by:
Thomas Gleixner <tglx@linutronix.de>
-
- Oct 28, 2019
-
-
Pawan Gupta authored
Add the documenation for TSX Async Abort. Include the description of the issue, how to check the mitigation state, control the mitigation, guidance for system administrators. [ bp: Add proper SPDX tags, touch ups by Josh and me. ] Co-developed-by:
Antonio Gomez Iglesias <antonio.gomez.iglesias@intel.com> Signed-off-by:
Pawan Gupta <pawan.kumar.gupta@linux.intel.com> Signed-off-by:
Antonio Gomez Iglesias <antonio.gomez.iglesias@intel.com> Signed-off-by:
Borislav Petkov <bp@suse.de> Signed-off-by:
Thomas Gleixner <tglx@linutronix.de> Reviewed-by:
Mark Gross <mgross@linux.intel.com> Reviewed-by:
Tony Luck <tony.luck@intel.com> Reviewed-by:
Josh Poimboeuf <jpoimboe@redhat.com>
-
- Jun 26, 2019
-
-
Tim Chen authored
Add documentation for Spectre vulnerability and the mitigation mechanisms: - Explain the problem and risks - Document the mitigation mechanisms - Document the command line controls - Document the sysfs files Co-developed-by:
Andi Kleen <ak@linux.intel.com> Signed-off-by:
Andi Kleen <ak@linux.intel.com> Co-developed-by:
Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by:
Tim Chen <tim.c.chen@linux.intel.com> Reviewed-by:
Randy Dunlap <rdunlap@infradead.org> Reviewed-by:
Thomas Gleixner <tglx@linutronix.de> Cc: stable@vger.kernel.org Signed-off-by:
Jonathan Corbet <corbet@lwn.net>
-
- Mar 06, 2019
-
-
Thomas Gleixner authored
Add the initial MDS vulnerability documentation. Signed-off-by:
Thomas Gleixner <tglx@linutronix.de> Reviewed-by:
Jon Masters <jcm@redhat.com>
-
Thomas Gleixner authored
Move L!TF to a separate directory so the MDS stuff can be added at the side. Otherwise the all hardware vulnerabilites have their own top level entry. Should have done that right away. Signed-off-by:
Thomas Gleixner <tglx@linutronix.de> Reviewed-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org> Reviewed-by:
Jon Masters <jcm@redhat.com>
-