Security Vulnerability: Spectre side channel attack "Lazy FPU Save/Restore" aka CVE-2018-3665.
This document (7023076) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 12
Situation
This issue is x86 platform specific.
On Intel and AMD x86 processors, operating systems and hypervisors often use what is referred to as a deferred saving and restoring method of the x86 FPU state, as part of performance optimization. This is done in a "lazy" on-demand fashion.
It was found that due to the "lazy" approach, the x86 FPU states or FPU / XMM / AVX512 register content, could leak across process, or even VM boundaries, giving attackers possibilities to read private data from other processes, when using speculative execution side channel gadgets.
Resolution
The software mitigation for this is to switch to an "eager" / immediate FPU state save and restore, in both kernels and hypervisors.
Following the kernel releases listed below, the "eagerfpu=auto" default is now "on" for all CPUs.
Upstream Linux kernels after Linux 4.6 have eager FPU switching by default, and this mode of switching is backported to our SUSE Linux Enterprise kernels. SUSE is also backporting the eager FPU state switching patches to all older SUSE Linux Enterprise releases.
The SUSE Linux Enterprise 12 kernels have a boot command line option to switch from lazy to eager FPU context switching called "eagerfpu",
which mitigates the security issue. This option has the default of "auto".
To date, the automatic default here was "on" for CPUs with the XSAVEOPT feature in modern Intel procesors (Broadwell/Haswell and newer), and "off" for all older CPUs.
which mitigates the security issue. This option has the default of "auto".
To date, the automatic default here was "on" for CPUs with the XSAVEOPT feature in modern Intel procesors (Broadwell/Haswell and newer), and "off" for all older CPUs.
Please note :
- the 'eagerfpu=on' parameter was not correctly parsed on the kernel command line in 4.4 kernels prior to SLES12 SP3 kernel-4.4.138-94.39.1 and SLES12 SP2 kernel-4.4.121-92.85.1
- On SUSE Linux Enterprise Server 11, the kernel did not have this option before this update, but it has received a backport of the "eagerfpu" kernel option with this update.
SUSE has released updates to address this vulnerability in the following package versions :
SLES 12 SP3
SLES 12 SP2 - LTSS
SLES 12 SP1 - LTSS
SLES 12 GA - LTSS
SLES 11 SP4
SLES 11 SP3 - LTSS
SLES 12 SP3
- kernel 4.4.138-94.39.1
SLES 12 SP2 - LTSS
- kernel 4.4.121-92.85.1 (in QA)
SLES 12 SP1 - LTSS
- kernel 3.12.74-60.64.96.1
SLES 12 GA - LTSS
- kernel 3.12.61-52.136.1
SLES 11 SP4
- kernel 3.0.101-108.57.1
SLES 11 SP3 - LTSS
- kernel 3.0.101-0.47.106.35.1
Cause
Additional Information
Please note :
- This issue also affects hypervisors like XEN, which will also change the behaviour to eager save/restore method.
- CPU Microcode changes are not needed to mitigate this issue.
This change will incur only a minor performance loss since most software today already uses the FPU registers, as such, a state is already required to be saved/restored.
Additional Information :
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html
- XEN advisory:
https://xenbits.xen.org/xsa/advisory-267.html
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7023076
- Creation Date: 11-Jun-2018
- Modified Date:03-Mar-2020
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
