The Register File Data Sampling vulnerability may allow malicious userspace programs to infer stale kernel register data, potentially exposing sensitive key values, including AES keys. To address this vulnerability, a microcode update needs to be applied to the CPU, which modifies the VERW instruction to flush the affected CPU buffers. The kernel already has a facility to flush CPU buffers before returning to userspace, which is indicated by the X86_FEATURE_CLEAR_CPU_BUF flag. Ensure the mitigation before enabling Key Locker. Do not enable the feature on CPUs affected by the vulnerability but lacks mitigation. Signed-off-by: Chang S. Bae <chang.seok.bae@xxxxxxxxx> Cc: Dave Hansen <dave.hansen@xxxxxxxxx> Cc: Pawan Gupta <pawan.kumar.gupta@xxxxxxxxxxxxxxx> --- Change from v8: * Add as a new patch. Note that the code change follows the mitigation guidance [1]: "Software loading Key Locker keys using LOADIWKEY should execute a VERW to clear registers before transitioning to untrusted code to prevent later software from inferring the loaded key." [1] https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/register-file-data-sampling.html --- arch/x86/kernel/keylocker.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/arch/x86/kernel/keylocker.c b/arch/x86/kernel/keylocker.c index d4f3aa65ea8a..6e805c4da76d 100644 --- a/arch/x86/kernel/keylocker.c +++ b/arch/x86/kernel/keylocker.c @@ -135,12 +135,29 @@ static bool __init have_gds_mitigation(void) return false; } +/* + * IA32_ARCH_CAPABILITIES MSR is retrieved during the setting of + * X86_BUG_RFDS. Ensure that the mitigation is applied to flush CPU + * buffers by checking the flag. + */ +static bool __init have_rfds_mitigation(void) +{ + if (boot_cpu_has(X86_FEATURE_CLEAR_CPU_BUF)) + return true; + + pr_warn("x86/keylocker: Susceptible to the RFDS vulnerability.\n"); + return false; +} + /* Check if Key Locker is secure enough to be used. */ static bool __init secure_keylocker(void) { if (boot_cpu_has_bug(X86_BUG_GDS) && !have_gds_mitigation()) return false; + if (boot_cpu_has_bug(X86_BUG_RFDS) && !have_rfds_mitigation()) + return false; + return true; } -- 2.34.1