From nobody Thu Jul 27 15:32:47 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RBZXX5NJbz4pQjT for ; Thu, 27 Jul 2023 15:33:00 +0000 (UTC) (envelope-from olivier.freebsd@free.fr) Received: from smtp2-g21.free.fr (smtp2-g21.free.fr [212.27.42.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4RBZXR70bgz3rll for ; Thu, 27 Jul 2023 15:32:55 +0000 (UTC) (envelope-from olivier.freebsd@free.fr) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=free.fr header.s=smtp-20201208 header.b=Jq2yVsfT; spf=pass (mx1.freebsd.org: domain of olivier.freebsd@free.fr designates 212.27.42.2 as permitted sender) smtp.mailfrom=olivier.freebsd@free.fr; dmarc=pass (policy=none) header.from=free.fr Received: from ravel.localnet (unknown [90.118.140.172]) (Authenticated sender: olivier.freebsd@free.fr) by smtp2-g21.free.fr (Postfix) with ESMTPSA id 111E3200417 for ; Thu, 27 Jul 2023 17:32:48 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=free.fr; s=smtp-20201208; t=1690471968; bh=+g5JQ+s5mvhqa+NkWlbgAg2EUacEVSLXGcUfZInRSYg=; h=From:To:Subject:Date:In-Reply-To:References:From; b=Jq2yVsfTkzDOR1LfLDkPz+E3EGWFZLR6BWVMZ2PZ1lIpoozPkmyTdwVkXal8/RoeH +K2ETw28cDy9w6H7v/8AMXHwHVAmXRJdVcZVBRncijR9h+0BCt3TGTx8dQHUpnDnW3 Or+Sl9BDiiFE0T8vWHDnozMFAWb1dbAlxwmaivlt8q0LKQ8z8VZu6OB50jycLVq0CE KUglbfNAFZNhR2vPKIdB09Muh3e2ad6TMW8VlpGquu/gC0Xk/RmGuIWdEIsZMntWeN LBZhfc+ujfiJMh9MGJn3kjXbtRRaaP8IJSuaS7eyz1CpyMLILgqxrtTSJ1ypMlcAMj rGiJkc2fl19KQ== From: Olivier Certner To: freebsd-security@freebsd.org Subject: Re: Zenbleed Date: Thu, 27 Jul 2023 17:32:47 +0200 Message-ID: <1958561.iAkVjBisvr@ravel> In-Reply-To: <20230726214636.yblem2s4sgapb6cw@mutt-hbsd> References: <20230726214636.yblem2s4sgapb6cw@mutt-hbsd> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="UTF-8" X-Spamd-Result: default: False [0.71 / 15.00]; NEURAL_SPAM_MEDIUM(1.00)[1.000]; NEURAL_HAM_SHORT(-0.99)[-0.987]; NEURAL_SPAM_LONG(0.79)[0.794]; CTE_CASE(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[free.fr,none]; MID_RHS_NOT_FQDN(0.50)[]; R_DKIM_ALLOW(-0.20)[free.fr:s=smtp-20201208]; R_SPF_ALLOW(-0.20)[+ip4:212.27.42.2]; RWL_MAILSPIKE_GOOD(-0.10)[212.27.42.2:from]; MIME_GOOD(-0.10)[text/plain]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; RCVD_VIA_SMTP_AUTH(0.00)[]; DWL_DNSWL_NONE(0.00)[free.fr:dkim]; RCVD_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[free.fr:+]; TO_DN_NONE(0.00)[]; FREEMAIL_FROM(0.00)[free.fr]; ARC_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:12322, ipnet:212.27.32.0/19, country:FR]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[free.fr]; RCVD_TLS_ALL(0.00)[] X-Rspamd-Queue-Id: 4RBZXR70bgz3rll X-Spamd-Bar: / Hello, I can confirm that the PoC unfortunately works perfectly on an AMD 3900X. Variant 0 leads to a few leaks, 1 apparently none, variant 2 much more and variant 3 the most. With variant 3, I'm measuring around 6 upper-XMM leaks per second with 12 threads, hence ~8 bytes/s/core (~64bit/s/core), far from the reported[1] speed of 30kb/s/core in the original post (on different hardware). But I can see text, such as JS code, leaking. This is serious. The workaround provided by kib@ in another reply works (leaks stop instantly): # for x in /dev/cpuctl*; do cpucontrol -m '0xc0011029|=0x200' $x; done Little info on MSR C001_1029 is available[6]. According to [2] and [3], it seems that no firmware is currently available for anything else than Rome/Castle Peak and Mendocino (see AMD processors list[5]). BIOS updates will come at best at end of year (see [2]). The situation for microcode updates seems more blurry, as [2] does not talk about them (except for Rome/Castle Peak), but [4] seems to indicate that these updates at least have been assigned IDs for all affected models. If someone has more info, please share. Thanks. Links: [1] https://lock.cmpxchg8b.com/zenbleed.html [2] https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html [3] https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=0bc3126c9cfa0b8c761483215c25382f831a7c6f [4] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v6.4.6&id=9b8bb5c4e25678af895dc9dd4a1e82b2f948cacc [5] https://en.wikipedia.org/wiki/List_of_AMD_Ryzen_processors [6] https://lore.kernel.org/lkml/20170425114541.8267-1-dvlasenk@redhat.com/ -- Olivier Certner