Security vulnerabilities: Side-channel information leaks / denial of service attack against MMIO registers

For a comprehensive list of affected products please review the mentioned SUSE CVE announcements.

Security researchers and Intel engineers have identified several transient execution side-channel information leak attacks and one denial of service attack when accessing MMIO registers.

Multiple flavour of these issues have been identified:

- Device Register Partial Write (DRPW) / CVE-2022-21166:

  Some endpoint MMIO registers incorrectly handle writes that are smaller than the register size. Instead of
  aborting the write or only copying the correct subset of bytes (for example, 2 bytes for a 2-byte write), more bytes
  than specified by the write transaction may be written to the register. On some processors, this may expose stale
  data from the fill buffers of the core that created the write transaction.

  This issue is mitigated using CPU Microcode and Operating System (kernel) code changes.

- Update to Special Register Buffer Data Sampling / CVE-2022-21127:

  The RDSAND, RDSEED, SGX EGET KEY instructions use the low bandwidth MMIO interface, and their content 
  could be sampled using side-channel information leak methods.

  This issue is being mitigated with CPU Microcode updates.

- Shared Buffers Data Sampling (SBDS) / CVE-2022-21125:

  After propagators may have moved data around the uncore and copied stale data into client core fill buffers,
  processors affected by MFBDS can leak data from the fill buffers.

  This issue is mitigated using CPU Microcode and Operating System (kernel) code changes.

- Shared Buffers Data Read (SBDR) / CVE-2022-21123:

  It is similar to Shared Buffer Data Sampling (SBDS) except that the data is directly read into the architectural
  software-visible state.

  This issue is mitigated using CPU Microcode and Operating System (kernel) code changes.

- Undefined MMIO Hang / CVE-2022-21180:

  While not directly related to side channel information leaks, overly long MMIO reads to short MMIO registers could
  lead to machine hangs, causing a denial of service.

  This will be fixed by filtering out too long MMIO reads in kernel / hypervisor software.

- an updated Intel CPU Microcode was already published in the Intel IPU 
  2022.1 release, released by SUSE in "ucode-intel" version 20220510 packages.

- SUSE will release kernel updates to mitigate the leaks.

A new kernel boot commandline option will be introduced, called "mmio_stale_data".
 
Configuration:

- mmio_stale_data=off

  Mitigation is disabled.

- mmio_stale_data=full

  Mitigation is enabled, but SMT is still enabled so information might leak on the same CPU core.

- mmio_stale_data=full,nosmt

  Mitigation is enabled, and SMT is disabled so the mitigation is complete.

Note that this is option is also covered by using the generic "mitigations" option.
 

Security Alert

Reporting:

A new sysfs file /sys/devices/system/cpu/vulnerabilities/mmio_stale_data is created, reporting mitigation status.

- Vulnerable

  System is vulnerable, no mitigation enabled.

- Vulnerable: Clear CPU buffers attempted, no microcode

  The system needs a CPU Microcode update. Check out ucode-intel 20220510 or newer. However if it is an
  older CPU, Intel might no longer deliver CPU Microcode updates.

- Mitigation: Clear CPU buffers; SMT Host state unknown

  The mitigation with clearing CPU buffer is enabled, but the hyper threading mitigation status is unknown.

- Mitigation: Clear CPU buffers; SMT vulnerable

  The mitigation with clearing CPU buffer is enabled, but hyper threading is active, so on the same CPU core
  information leaks can still happen.

- Mitigation: Clear CPU buffers; SMT disabled

  The mitigation with clearing CPU buffer is enabled, and hyper threading is disabled, so the issue is fully mitigated.

References:

- https://www.suse.com/security/cve/CVE-2022-21166
- https://www.suse.com/security/cve/CVE-2022-21127
- https://www.suse.com/security/cve/CVE-2022-21123
- https://www.suse.com/security/cve/CVE-2022-21125
- https://www.suse.com/security/cve/CVE-2022-21180
- https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/undefined-mmio-hang.html
​​​​​​​- https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html ​​​​​​​