Both Intel and AMD CPUs are being reported as “insecure” on Linux

Both Intel and AMD CPUs are being reported as

Both Intel and AMD CPUs are being reported as “insecure” on Linux

Over the past few days, a bug was discovered within Intel processors dating back a decade. This issue has forced rapid redesigns of both the Linux and Windows Kernels, implementing security fixes that will impact the performance of affected systems.   

The bug is not fixable with microcode updates, requiring an expensive software update to bypass the issue, delivering a substantial performance hit in specific workloads. Early benchmarks show a considerable performance impact on I/O heavy workloads, which will likely hit the server/enterprise market the hardest. 

The Linux Kernal has been the first to implement a fix for the issue, though for now, the OS is taking a careful approach to the problem, using this fix on all x86 processors regardless of whether or not they are affected by this hardware issue. AMD engineers have stated that their products are unaffected by the attacks this security measure is designed to prevent, giving AMD users an unnecessary performance hit. 

Over Christmas, an email was sent to the Linux kernel mailing list, stating that that “AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against”. This email was sent by Thomas Lendacky, a software engineer at AMD that specialises in Linux kernel development. Below is the full email. 

 

     AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against. The AMD microarchitecture
does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode
when that access would result in a page fault.

Disable page table isolation by default on AMD processors by not setting the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI
is set.

  
If AMD is indeed unaffected by the issue, today’s Linux Kernel is degrading the performance of AMD hardware unnecessarily, though the measure is understandable given the gravity of the exploit. In time, it is likely that the kernel will be updated to remove this unnecessary feature on AMD hardware, giving AMD a nice one up on Intel in the server market.  

Both Intel and AMD CPUs are being reported as

While some will say that Linux is favouring Intel by artificially hobbling AMD’s CPUs with unnecessary performance penalties, it is most likely that developers are taking the “better safe than sorry” approach to security. AMD should be able to demonstrate that their products are unaffected by the bug and should be able to get the kernel patched with exceptions in the near future, leaving this mess solely at Intel’s feet. 

Below is some information from the changelog for the latest build of Linux, version 4.14.11

      Many x86 CPUs leak information to user space due to missing isolation of user space and kernel space page tables. There are many well documented ways to exploit that.

The upcoming software migitation of isolating the user and kernel space page tables needs a misfeature flag so code can be made runtime conditional.

Add the BUG bits which indicates that the CPU is affected and add a feature bit which indicates that the software migitation is enabled.

Assume for now that _ALL_ x86 CPUs are affected by this. Exceptions can be made later.

Update – An AMD patch for the Linux Kernel is now available here. Another workaround to prevent PTI from applying to AMD CPUs is to boot the kernel with the nopti command line parameter. We are currently hearing conflicting reports regarding this patch’s merger with the mainline Linux Kernel.  

Update 2Intel, AMD and ARM have all released statements about these recently discovered security issues. 

You can join the discussion on the Linux Kernel’s security update affecting all x86 processors on the OC3D Forums.Â