Intel Optimizing Its MDS Mitigation Handling To Avoid Possible Kernel Data Leaking

Written by Michael Larabel in Intel on 21 October 2023 at 09:16 AM EDT. 2 Comments
INTEL
An Intel engineer on Friday posted a set of Linux kernel patches that are working to refine the Microarchitectural Data Sampling (MDS) mitigation handling for the Linux kernel to better protect some kernel data and also some very subtle performance benefits.

The MDS mitigation requires clearing of CPU buffers before returning to user-space. This is being done with the VERW instruction, which after the MDS vulnerability came to light was updated via Intel CPU microcode to overload the VERW instruction to also clear the CPU buffers. But with how the Linux kernel has been mitigated since 2021, it leaves the possibility of kernel data still ending up in the CPU buffers. So the newly proposed patches are moving the VERW instructions to later on in the return-to-user code path.

MDS attack logo


The new patches address the situation by moving the VERW call to later in the exit-to-user path for mitigating these transient data sampling attacks.
"Mitigation for MDS is to use VERW instruction to clear any secrets in CPU Buffers. Any memory accesses after VERW execution can still remain in CPU buffers. It is safer to execute VERW late in return to user path to minimize the window in which kernel data can end up in CPU buffers. There are not many kernel secrets to be had after SWITCH_TO_USER_CR3.

Add support for deploying VERW mitigation after user register state is restored. This helps minimize the chances of kernel data ending up into CPU buffers after executing VERW."

The patch series also moves the VERW closer to VMentry within the KVM virtualization code.

With this patch series undergoing review it's also been said to help some workloads like Nginx and Hackbench with up to 1~2% better performance.
2 Comments
Related News
UMD Direct Submission "Proof Of Concept" For The Intel Xe Linux Driver
Intel Linux Display Driver Being Adapted For DRM Panic "Blue Screen of Death" Support
Intel Compute Runtime 24.45.31740.9 Released Ahead Of The Arc B580 "Battlemage" Launch
Intel ANV Driver Improves Vulkan Image Compression Going Back To Tigerlake
Intel CEO Pat Gelsinger Retires
Turbostat Utility Lands New Features With Linux 6.13
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
OpenWrt Affected By Security Issue That Could Have Led To Compromised Build Artifacts
Linus Torvalds Comes Out Against "Completely Broken" x86_64 Feature Levels
Linux EFI Zboot Abandoning "Compression Library Museum", Focusing On Gzip & Zstd
COSMIC Alpha 4 Released For System76's Rust-Based Desktop
Rustls Multi-Threaded Performance Is Battering OpenSSL
Ptyxis Becomes Ubuntu's Recommended Replacement To GNOME Terminal
Fedora 42 Aims To Enhance The Windows Subsystem For Linux Experience
KDE Starts December By Landing A Number Of New Features