Security Vulnerability: Spectre side channel attack "Lazy FPU Save/Restore" aka CVE-2018-3665.

This document (7023076) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 12

Situation

This issue is x86 platform specific.

On Intel and AMD x86 processors, operating systems and hypervisors often use what is referred to as a deferred saving and restoring method of the x86 FPU state, as part of performance optimization. This is done in a "lazy" on-demand fashion.

It was found that due to the "lazy" approach, the x86 FPU states or FPU / XMM / AVX512 register content, could leak across process, or even VM boundaries, giving attackers possibilities to read private data from other processes, when using speculative execution side channel gadgets.

Resolution

The software mitigation for this is to switch to an "eager" / immediate FPU state save and restore, in both kernels and hypervisors.

Upstream Linux kernels after Linux 4.6 have eager FPU switching by default, and this mode of switching is backported to our SUSE Linux Enterprise kernels. SUSE is also backporting the eager FPU state switching patches to all older SUSE Linux Enterprise releases.

The SUSE Linux Enterprise 12 kernels have a boot command line option to switch from lazy to eager FPU context switching called "eagerfpu",
which mitigates the security issue.  This option has the default of "auto".

To date, the automatic default here was "on" for CPUs with the XSAVEOPT feature in modern Intel procesors (Broadwell/Haswell and newer), and "off" for all older CPUs.

Following the kernel releases listed below,  the "eagerfpu=auto" default is now "on" for all CPUs.

Please note :
  • the 'eagerfpu=on' parameter was not correctly parsed on the kernel command line in 4.4 kernels prior to SLES12 SP3 kernel-4.4.138-94.39.1 and SLES12 SP2 kernel-4.4.121-92.85.1
  • On SUSE Linux Enterprise Server 11, the kernel did not have this option before this update, but it has received a backport of the "eagerfpu" kernel option with this update.



SUSE has released updates to address this vulnerability in the following package versions :


SLES 12 SP3
  • kernel 4.4.138-94.39.1

SLES 12 SP2 - LTSS
  • kernel 4.4.121-92.85.1 (in QA)

SLES 12 SP1 - LTSS
  • kernel 3.12.74-60.64.96.1

SLES 12 GA - LTSS
  • kernel 3.12.61-52.136.1

SLES 11 SP4
  • kernel 3.0.101-108.57.1

SLES 11 SP3 - LTSS
  • kernel 3.0.101-0.47.106.35.1

Cause

Additional Information

Please note :
  • This issue also affects hypervisors like XEN, which will also change the behaviour to eager save/restore method.
  • CPU Microcode changes are not needed to mitigate this issue.

Performance Impact :
This change will incur only a minor performance loss since most software today already uses the FPU registers, as such, a state is already required to be saved/restored.


Additional Information :

- Intel advisory:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html

- XEN advisory:
https://xenbits.xen.org/xsa/advisory-267.html

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7023076
  • Creation Date: 11-Jun-2018
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center