• Daniel Sneddon's avatar
    x86/speculation: Add Gather Data Sampling mitigation · 8974eb58
    Daniel Sneddon authored
    Gather Data Sampling (GDS) is a hardware vulnerability which allows
    unprivileged speculative access to data which was previously stored in
    vector registers.
    
    Intel processors that support AVX2 and AVX512 have gather instructions
    that fetch non-contiguous data elements from memory. On vulnerable
    hardware, when a gather instruction is transiently executed and
    encounters a fault, stale data from architectural or internal vector
    registers may get transiently stored to the destination vector
    register allowing an attacker to infer the stale data using typical
    side channel techniques like cache timing attacks.
    
    This mitigation is different from many earlier ones for two reasons.
    First, it is enabled by default and a bit must be set to *DISABLE* it.
    This is the opposite of normal mitigation polarity. This means GDS can
    be mitigated simply by updating microcode and leaving the new control
    bit alone.
    
    Second, GDS has a "lock" bit. This lock bit is there because the
    mitigation affects the hardware security features KeyLocker and SGX.
    It needs to be enabled and *STAY* enabled for these features to be
    mitigated against GDS.
    
    The mitigation is enabled in the microcode by default. Disable it by
    setting gather_data_sampling=off or by disabling all mitigations with
    mitigations=off. The mitigation status can be checked by reading:
    
        /sys/devices/system/cpu/vulnerabilities/gather_data_sampling
    Signed-off-by: default avatarDaniel Sneddon <daniel.sneddon@linux.intel.com>
    Signed-off-by: default avatarDave Hansen <dave.hansen@linux.intel.com>
    Acked-by: default avatarJosh Poimboeuf <jpoimboe@kernel.org>
    8974eb58
cpu.h 2.82 KB