Re: Zenbleed

From: Olivier Certner <olivier.freebsd_at_free.fr>
Date: Thu, 27 Jul 2023 15:32:47 UTC
Hello,

I can confirm that the PoC unfortunately works perfectly on an AMD 3900X.
Variant 0 leads to a few leaks, 1 apparently none, variant 2 much more and
variant 3 the most.  With variant 3, I'm measuring around 6 upper-XMM leaks per
second with 12 threads, hence ~8 bytes/s/core (~64bit/s/core), far from the
reported[1] speed of 30kb/s/core in the original post (on different hardware).
But I can see text, such as JS code, leaking.  This is serious.

The workaround provided by kib@ in another reply works (leaks stop instantly):
# for x in /dev/cpuctl*; do cpucontrol -m '0xc0011029|=0x200' $x; done
Little info on MSR C001_1029 is available[6].

According to [2] and [3], it seems that no firmware is currently available for
anything else than Rome/Castle Peak and Mendocino (see AMD processors list[5]).
BIOS updates will come at best at end of year (see [2]).  The situation for
microcode updates seems more blurry, as [2] does not talk about them (except
for Rome/Castle Peak), but [4] seems to indicate that these updates at least
have been assigned IDs for all affected models.

If someone has more info, please share.

Thanks.

Links:
[1] https://lock.cmpxchg8b.com/zenbleed.html
[2] https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html
[3] https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=0bc3126c9cfa0b8c761483215c25382f831a7c6f
[4] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v6.4.6&id=9b8bb5c4e25678af895dc9dd4a1e82b2f948cacc
[5] https://en.wikipedia.org/wiki/List_of_AMD_Ryzen_processors
[6] https://lore.kernel.org/lkml/20170425114541.8267-1-dvlasenk@redhat.com/

-- 
Olivier Certner