Disclosure date: 2024-03-12 Published date: 2024-03-12 |
Severity rating: 6.5 Medium |
Industry-wide severity ratings can be found in the National Vulnerability Database |
Related Content
Introduction
Register File Data Sampling (RFDS) is a microarchitectural vulnerability, which, in some situations, may allow an attacker to infer data values previously used in floating point registers, vector registers, or integer registers1 . RFDS only affects Intel Atom® processors.
RFDS was discovered as part of Intel’s extensive internal validation work on microarchitectural security. Similar to data sampling transient execution attacks, like Microarchitectural Data Sampling (MDS), RFDS may allow a malicious actor who can locally execute code on a system to infer the values of secret data which is otherwise protected by architectural mechanisms. RFDS differs from the MDS vulnerabilities in both the method of exposure and in the data exposed (RFDS exposes stale register data only). Neither MDS nor RFDS, by themselves, provide malicious actors the ability to choose which data is inferred using these methods.
Intel will release a microcode update that enables software to clear sensitive information using the VERW instruction. This is similar to the mitigation mechanism previously used for Microarchitectural Data Sampling (MDS) and Processor MMIO Stale Data Vulnerabilities.
RFDS is assigned CVE-2023-28746 with a CVSS base score of 6.5 (Medium) CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N.
Impact Summary
Malicious software that is able to execute code locally may be able to infer data values previously held in floating point registers, vector registers, and/or integer registers of the same logical processor. These previous register values may come from:
- Other applications
- Operating System (OS)
- System Management Mode (SMM)
- Intel® Software Guard Extensions (Intel® SGX) enclaves
- Virtual Machine Manager (VMM), if present
- Other guests running under the same VMM
- Boot firmware (for example, BIOS)
Note that no processors which support Intel® Trust Domain Extensions (Intel® TDX) are affected by this vulnerability.
Background and Issue Description
Register File Data Sampling is a domain-bypass transient execution attack which may allow an attacker to infer stale register values (data left in registers from previous operations).
On affected Intel Atom processors, RFDS may allow an attacker to infer values that were previously in a floating point/vector register or, on the Gracemont core2 , integer register. Similar to other data sampling attacks, RFDS does not directly allow an attacker to select specific data to attack; only the stale data that exists in register files is able to be inferred.
This may be a concern when the stale value comes from a different security domain. For example, RFDS may allow a malicious application to infer register values previously used by the operating system.
Note that none of the cores affected by RFDS support Intel® Hyper-Threading Technology (Intel® HT Technology), although hybrid processors may contain both affected cores and cores which support Intel® HT Technology. The RFDS method can only infer stale data values from software that ran on that affected logical processor. Refer to the 2022-2024 tab of the consolidated Affected Processors table (Register File Data Sampling column) for further details.
Also note that the processor structure which holds the registers, called a register file, may hold temporary values used within operations (for example, data moved by REP MOVS or the keys used by Key Locker operations or AES-NI) and these values may also be inferred using RFDS.
Although stale values in a specific register file (for example, integer register files or floating point/vector register files) will eventually be overwritten by new instructions, this can require hundreds of operations writing to that register file. Because many software routines use only integer operations and not floating point or vector operations, in practice, stale floating point/vector values may persist in the register file longer than stale integer values. Due to the implementation details of the Fast Store Forwarding Predictor (FSFP), it may be possible to infer previous integer store values on parts which both support FSFP and allow integer registers to be inferred.
At this time, there is no known practical RFDS value injection transient execution attack.
Mitigation
Intel will release a microcode update which will modify certain operations3 (VERW, RSM, Key Locker operations4, and entering or exiting Intel® SGX enclaves) to overwrite affected stale register values.
On affected processors, software can execute the VERW instruction before changing security domains. For example, the OS could execute VERW before returning to an untrusted application or the hypervisor could execute VERW before returning to an untrusted guest. This approach is similar to the mitigations for previous issues like Microarchitectural Data Sampling (MDS) and Processor MMIO Stale Data Vulnerabilities, which may also use the VERW instruction in such cases.
When VERW is invoked, it overwrites only the stale register values, not the architectural (current) values. Since the architectural values of registers are not overwritten, they may later become stale. This means that values in x87, MMX, Streaming SIMD Extensions (SSE), or Intel® Advanced Vector Extensions (Intel® AVX) registers at the time of VERW may be inferred later. Similarly, for processors on which integer registers are also affected, the values of integer registers5 (R{A/B/C/D}X, R8-R15, RSI, RDI, RSP, RBP}), or arithmetic flags (OF, SF, PF, ZF, AF, CF) or SSP at the time of VERW may be inferred later. Software can mitigate this by overwriting these registers before VERW is invoked. Note that it may not be possible for some OSes to prevent the ring 0 values of RSP and SSP from being inferred by applications due to the need for the OS to maintain its own values in these registers during OS operation. Ring 0 values of RSP and SSP reveal only address layout; not data values of the OS or other applications.
The VERW instruction may not overwrite integer register file data which is in use by Fast Store Forwarding Predictors. On processors which are affected by RFDS and support such predictors, software may choose to set IA32_SPEC_CTRL.PSFD (bit 7) to disable the use of these predictors. Intel believes that this is unlikely to allow secrets to be inferred in real-world scenarios and thus does not recommend setting PSFD to disable the use of these predictors.
On affected processors, loading the updated microcode will mitigate any potential direct attacks using RFDS against Intel SGX enclaves. There will be an Intel SGX TCB Recovery for those Intel SGX-capable affected processors, which are code named Gemini Lake and Gemini Lake Refresh. This TCB Recovery will only attest as up-to-date when the patch has been FIT-loaded (for example, with an updated BIOS).
Adding the VERW instruction to a section of code may increase its latency. Thus, applying VERW after domain transitions can lengthen those transitions. Even when operating systems are applying VERW on domain transitions to mitigate this issue, minimal performance impact is expected for the majority of workloads. However, when Key Locker6 is in use for disk encryption on systems which only have E-cores enabled, Intel has observed some performance impact due to the microcode update on some encrypted file I/O workloads.
Enumeration
Processors which are not affected by RFDS may enumerate this by setting IA32_ARCH_CAPABILITIES[RFDS_NO]. RFDS_NO is bit position 27 in the IA32_ARCH_CAPABILITIES MSR. Affected processors are listed in the affected processor table; it is possible that some unaffected parts will not have a microcode update loaded that enumerates RFDS_NO.
Processors will enumerate IA32_ARCH_CAPABILITIES[RFDS_CLEAR] if they are affected by RFDS and VERW overwrites the stale register file entries affected by RFDS. RFDS_CLEAR is bit position 28 in the IA32_ARCH_CAPABILITIES MSR. To avoid unnecessary performance impact, software should only apply the VERW mitigations as an RFDS mitigation if RFDS_CLEAR is enumerated. VMMs should enumerate RFDS_CLEAR support to VMs that may run on both affected processors (which would enumerate RFDS_CLEAR) and unaffected processors.
For processors with hybrid architectures (for example, processors code named Alder Lake) only the Intel Atom cores (E-cores; for example, Gracemont) are affected but all processors within the system will enumerate consistently (for example, affected processors will enumerate RFDS_CLEAR as 1 and RFDS_NO as 0 on all logical processors). This still applies even if all Intel Atom core are disabled by the OS or BIOS. Note that some processors (for example, some non-hybrid processors with the Raptor Lake code name) with only P-cores may enumerate as unaffected by RFDS even if similar hybrid products with the same CPUID family/model/stepping fold are affected.
Register Address Hex | Register Address Dec | Architectural MSR Name / Bit Fields | MSR / Bit Description | Comment |
---|---|---|---|---|
10AH | 266 | IA32_ARCH_CAPABILITIES | Enumeration of Architectural Features (RO) | If CPUID.(EAX-07H, ECX=0):EDX[29]=1 |
10AH | 266 | 27 | RFDS_NO: The processor is not vulnerable to Register File Data Sampling. | |
10AH | 266 | 28 | RFDS_CLEAR: The processor is vulnerable to Register File Data Sampling, and the VERW instruction will overwrite buffers affected by Register File Data Sampling. |
Affected Processors
Refer to the 2022-2024 tab of the consolidated Affected Processors table: Register File Data Sampling column. Processors which have reached their End Of Servicing Lifetime are not listed in the consolidated table. Intel does not plan to evaluate whether any such processors are affected. Refer to the Support page for more information.
Footnotes
- Note that these registers may also hold temporary values used within operations and, in some situations, integer store values.
- Used in processors code named Alder Lake, Raptor Lake, and Arizona Beach.
- MSR writes to L1D_FLUSH MSR do not ensure affected stale register values are overwritten.
- Software loading Key Locker keys using LOADIWKEY should execute a VERW to clear registers before transitioning to untrusted code to prevent later software from inferring the loaded key.
- Note that RIP and the system flags portion of RFLAGS are not directly held in the integer register file.
- Note that the only affected processors with Key Locker are based on Alder Lake and Raptor Lake microarchitectures.