xref: /linux/Documentation/admin-guide/hw-vuln/reg-file-data-sampling.rst (revision 5f60d5f6bbc12e782fac78110b0ee62698f3b576)
1==================================
2Register File Data Sampling (RFDS)
3==================================
4
5Register File Data Sampling (RFDS) is a microarchitectural vulnerability that
6only affects Intel Atom parts(also branded as E-cores). RFDS may allow
7a malicious actor to infer data values previously used in floating point
8registers, vector registers, or integer registers. RFDS does not provide the
9ability to choose which data is inferred. CVE-2023-28746 is assigned to RFDS.
10
11Affected Processors
12===================
13Below is the list of affected Intel processors [#f1]_:
14
15   ===================  ============
16   Common name          Family_Model
17   ===================  ============
18   ATOM_GOLDMONT           06_5CH
19   ATOM_GOLDMONT_D         06_5FH
20   ATOM_GOLDMONT_PLUS      06_7AH
21   ATOM_TREMONT_D          06_86H
22   ATOM_TREMONT            06_96H
23   ALDERLAKE               06_97H
24   ALDERLAKE_L             06_9AH
25   ATOM_TREMONT_L          06_9CH
26   RAPTORLAKE              06_B7H
27   RAPTORLAKE_P            06_BAH
28   ATOM_GRACEMONT          06_BEH
29   RAPTORLAKE_S            06_BFH
30   ===================  ============
31
32As an exception to this table, Intel Xeon E family parts ALDERLAKE(06_97H) and
33RAPTORLAKE(06_B7H) codenamed Catlow are not affected. They are reported as
34vulnerable in Linux because they share the same family/model with an affected
35part. Unlike their affected counterparts, they do not enumerate RFDS_CLEAR or
36CPUID.HYBRID. This information could be used to distinguish between the
37affected and unaffected parts, but it is deemed not worth adding complexity as
38the reporting is fixed automatically when these parts enumerate RFDS_NO.
39
40Mitigation
41==========
42Intel released a microcode update that enables software to clear sensitive
43information using the VERW instruction. Like MDS, RFDS deploys the same
44mitigation strategy to force the CPU to clear the affected buffers before an
45attacker can extract the secrets. This is achieved by using the otherwise
46unused and obsolete VERW instruction in combination with a microcode update.
47The microcode clears the affected CPU buffers when the VERW instruction is
48executed.
49
50Mitigation points
51-----------------
52VERW is executed by the kernel before returning to user space, and by KVM
53before VMentry. None of the affected cores support SMT, so VERW is not required
54at C-state transitions.
55
56New bits in IA32_ARCH_CAPABILITIES
57----------------------------------
58Newer processors and microcode update on existing affected processors added new
59bits to IA32_ARCH_CAPABILITIES MSR. These bits can be used to enumerate
60vulnerability and mitigation capability:
61
62- Bit 27 - RFDS_NO - When set, processor is not affected by RFDS.
63- Bit 28 - RFDS_CLEAR - When set, processor is affected by RFDS, and has the
64  microcode that clears the affected buffers on VERW execution.
65
66Mitigation control on the kernel command line
67---------------------------------------------
68The kernel command line allows to control RFDS mitigation at boot time with the
69parameter "reg_file_data_sampling=". The valid arguments are:
70
71  ==========  =================================================================
72  on          If the CPU is vulnerable, enable mitigation; CPU buffer clearing
73              on exit to userspace and before entering a VM.
74  off         Disables mitigation.
75  ==========  =================================================================
76
77Mitigation default is selected by CONFIG_MITIGATION_RFDS.
78
79Mitigation status information
80-----------------------------
81The Linux kernel provides a sysfs interface to enumerate the current
82vulnerability status of the system: whether the system is vulnerable, and
83which mitigations are active. The relevant sysfs file is:
84
85	/sys/devices/system/cpu/vulnerabilities/reg_file_data_sampling
86
87The possible values in this file are:
88
89  .. list-table::
90
91     * - 'Not affected'
92       - The processor is not vulnerable
93     * - 'Vulnerable'
94       - The processor is vulnerable, but no mitigation enabled
95     * - 'Vulnerable: No microcode'
96       - The processor is vulnerable but microcode is not updated.
97     * - 'Mitigation: Clear Register File'
98       - The processor is vulnerable and the CPU buffer clearing mitigation is
99	 enabled.
100
101References
102----------
103.. [#f1] Affected Processors
104   https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html
105