AMD and Intel CPU security bugs bring Linux patches

Two new chip vulnerabilities, AMD Inception and Intel Downfall, forced Torvalds to push out Linux security fixes.
Written by Steven Vaughan-Nichols, Senior Contributing Editor
Dimitrios Manias/Getty Images

It's not really a Linux problem, but as is so often the case, Linux kernel developers have to clean up after AMD and Intel. It happened again with the chipmakers' latest CPU vulnerabilities: AMD Inception and Intel Downfall. To fix these, Linux creator Linus Torvalds has released a new set of patches.

Oddly, both are speculative side-channel attacks, which can lead to privileged data leakage to unprivileged processes. Torvalds described them as "yet another issue where userspace poisons a microarchitectural structure which can then be used to leak privileged information through a side channel."

Also: How to choose the right Linux desktop distribution for you

Does that sound familiar? It will be to Linux security experts. Yes, it's yet another example of the kind of security vulnerabilities that made Intel's Meltdown and Spectre infamous in Linux circles. Fortunately, unlike those two earlier cases, developers this time knew well in advance that there was trouble with the silicon, so the patches came out before news of the latest holes appeared. 

In this recent merge, Torvalds and company incorporated kernel-side measures that counteract AMD's Speculative Return Address Stack (RAS) overflow vulnerability to its Zen 3 and Zen 4 architectures. This vulnerability allows userspace to contaminate a microarchitectural structure, which can subsequently be exploited to siphon privileged information via a side channel.  

AMD will tell you it's not that big a deal: The chip giant believes this vulnerability is only potentially exploitable locally, such as via downloaded malware. Nevertheless, AMD "recommends customers employ security best practices, including running up-to-date software and malware detection tools."

However, the ETH Zurich security researchers who found the flaw aren't so optimistic. They believe Inception could be used by an attacker in cloud computing, where customers commonly share the same processing hardware resources.

The researchers say that Inception is a new class of transient execution attacks that uses Training in Transient Execution (TTE). Instead of attempting to leak data in a transient window, TTE attacks abuse the transient window to insert new predictions into the branch predictor. Combined with the Phantom, which is a way of triggering transient windows from arbitrary instructions, Inception can be a nasty way to vacuum down private data. 

Also: If you're looking to up your desktop computer security, Linux might be your best bet

Amusingly, veteran Linux kernel developer Peter Zijlstra, who is affiliated with Intel, refined the AMD patches. It's somewhat ironic to witness an Intel engineer spearheading the kernel's refinement of AMD mitigation code. Welcome to the open-source community spirit!

The Linux kernel developers also addressed the Intel Gather Data Sampling (GDS) vulnerability, known as Downfall. This particular vulnerability affects Intel Core processors from the 6th-generation Skylake to the 11th-generation Tiger Lake. In short, chances are your PC, your servers, and your cloud processors are all vulnerable. 

According to Daniel Moghimi, the Google senior research scientist who discovered Downfall, "The vulnerability is caused by memory optimization features in Intel processors that unintentionally reveal internal hardware registers to software. This allows untrusted software to access data stored by other programs, which should not normally be accessible." 

So, how bad is it? Moghimi has shown that an exploit can be used to steal another user's security keys and passwords. Worst still, such attacks are  "Highly practical," Moghimi notes. "It took me two weeks to develop an end-to-end attack stealing encryption keys from OpenSSL. It only requires the attacker and victim to share the same physical processor core, which frequently happens on modern-day computers, implementing preemptive multitasking and simultaneous multithreading."

Also: AMD vs Intel: Which desktop processor is right for you?

Intel Software Guard Extensions (SGX), an Intel hardware security feature available on Intel CPUs to protect users' data against malicious software, is also helpless against this vulnerability.

For some users, the fix may seem more trouble than the problem. According to Intel, some workloads may experience up to 50% overhead. That's some slowdown! Moghimi warns, however, "This is a bad idea. Even if your workload does not use vector instructions, modern CPUs rely on vector registers to optimize common operations, such as copying memory and switching register content." 

For Linux, however, the slowdown may not be that bad. Michael Larabel, a Linux software engineer and editor-in-chief of the hardcore Linux site Phoronix, has benchmarked the Downfall patches. Larabel found that instead of impacting I/O or user-space and kernel interactions -- as the fixes for Meltdown, Spectre, and their relatives did -- Downfall's fix impairs user-space bound software only. He also found that while the performance hit tended to be not as bad as Intel predicted, there were still some significant slowdowns.

The Linux security patches have been incorporated into the Linux Git for the upcoming Linux 6.5 kernel. The latest stable point releases incorporating these patches include Linux versions 6.4.9, 6.1.44, 5.15.125, 5.10.189, 4.19.290, and 4.14.321. These releases encompass the current Linux 6.4 stable series and the supported Long-Term Support (LTS) series kernels. 

Also: The best all-in-one computers: Mac, Lenovo, and more compared

The patches facilitate the reporting of the CPU speculative execution vulnerabilities state and introduce new controls to modify their behavior in conjunction with the latest CPU microcode.  Of course, for these patches to work, you must also install the AMD and Intel microcode updates.

So, what should you do? Get ready to install the new microcode as soon as it's available. Then, follow up, by patching your Linux systems as the patches become available. This won't be a big deal for Linux desktop users, but it will be for those of you running Linux on your servers and clouds.  

Editorial standards