Intel Optimizing Its MDS Mitigation Handling To Avoid Possible Kernel Data Leaking

Written by Michael Larabel in Intel on 21 October 2023 at 09:16 AM EDT. 2 Comments
INTEL
An Intel engineer on Friday posted a set of Linux kernel patches that are working to refine the Microarchitectural Data Sampling (MDS) mitigation handling for the Linux kernel to better protect some kernel data and also some very subtle performance benefits.

The MDS mitigation requires clearing of CPU buffers before returning to user-space. This is being done with the VERW instruction, which after the MDS vulnerability came to light was updated via Intel CPU microcode to overload the VERW instruction to also clear the CPU buffers. But with how the Linux kernel has been mitigated since 2021, it leaves the possibility of kernel data still ending up in the CPU buffers. So the newly proposed patches are moving the VERW instructions to later on in the return-to-user code path.

MDS attack logo


The new patches address the situation by moving the VERW call to later in the exit-to-user path for mitigating these transient data sampling attacks.
"Mitigation for MDS is to use VERW instruction to clear any secrets in CPU Buffers. Any memory accesses after VERW execution can still remain in CPU buffers. It is safer to execute VERW late in return to user path to minimize the window in which kernel data can end up in CPU buffers. There are not many kernel secrets to be had after SWITCH_TO_USER_CR3.

Add support for deploying VERW mitigation after user register state is restored. This helps minimize the chances of kernel data ending up into CPU buffers after executing VERW."

The patch series also moves the VERW closer to VMentry within the KVM virtualization code.

With this patch series undergoing review it's also been said to help some workloads like Nginx and Hackbench with up to 1~2% better performance.
2 Comments
Related News
Rework For Intel CPU Model Handling To Land With Linux 6.10
Linux 6.10 Adding Intel Low-Latency Hint To Aggressively Boost GT Frequency For GPU Compute
Intel Releases OpenVINO 2024.1 With More Gen AI & LLM Features
Intel ANV Vulkan Driver Enables VK_KHR_shader_float_controls2
Intel Has Many Improvements For The Xe Graphics Driver In Linux 6.10
Intel Enabling Linux Driver Display Support For Upcoming "Battlemage" GPUs
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
Fedora Linux 40 Available For Download As A Wonderful Upgrade
AMD: "Additional Parts Of The Radeon Stack To Be Open Sourced Throughout The Year"
Mozilla Finally Begins Offering Firefox ARM64 Linux Binaries
Linux 6.10 Preps A Kernel Panic Screen - Sort Of A "Blue Screen of Death"
GNU Portability Library's Tool Rewritten In Python For 8~100x Better Performance
Godot's Vulkan Backend Seeing Better Performance, 10~20% Reduction In Frame Times
GNOME Working To Make Key Rack A Viable Password Manager, Better Printing For Flatpaks
Systemd 256-rc1 Brings A Huge Number Of New Features