I believe microcode affects more how the "plumbing" works in the CPU, rather than how the data is actually processed. If there's something wrong with one of the actual hardware units, then that's something you can't fix.I believe the point of micro code is that they can alter which micro-ops an instruction decodes to. So, you could potentially devise a microcode-level fix if you can tweak the microcode for AVX instructions to avoid that "XMM Register Merge Optimization2" or somehow prevent VZEROUPPER from getting mispredicted.
This still leaves the issue of the hardware still exhibiting the problem, though this is only really a concern for those with tight security requirements.You might also be able to mitigate at the OS level, by trapping certain instructions and emulating their functionality. This could be extremely taxing on performance, however.
We know the instruction decoder translates instructions into micro-ops. I assume that translation is configurable, but I can't say for sure. It would make sense, as otherwise what you'd be talking about is basically having each part of the CPU being like its own programmable engine which would indeed be inefficient.I believe microcode affects more how the "plumbing" works in the CPU, rather than how the data is actually processed.
I didn't say you could fix it. What I said is maybe they can identify a workaround that avoids the "specific timing window" or generating an micro-op sequence resulting a mis-predicted VZEROUPPER instruction.If there's something wrong with one of the actual hardware units, then that's something you can't fix.
If they can design an effective workaround using an instruction trap, then the only issue is the performance cost. They can bake the instruction trap directly into the kernel, so that all applications will automatically be affected.This still leaves the issue of the hardware still exhibiting the problem, though this is only really a concern for those with tight security requirements.
Thats what researcher's are doing day and night. Using Ai to find security holes.The potential for this is unparalleled.
Is this the beginning of AI generated malware? or has it (AI) been at work in this area for quite some time already?
Noooo, let's hope they can exploit this to hack the consoles.Aren't consoles zen2?
Hope this gets fixed faster than the similar SQUIP vulnerability.
Yeah lose all of your performance...just don't run anything,problem solved.Okay, so either disable SMT or just limit it to threads within the same process. Problem solved, right? ...just like most of the other side-channel attacks we've been hearing about.
Of course, my preferred solution is the one I underlined: limit core-sharing to threads from the same process. Since the performance-intensive processes tend to have plenty of threads, that should still provide most of the benefits of SMT. In Linux, that feature is called "core-scheduling":Yeah lose all of your performance...just don't run anything,problem solved.
You can inject code into a process this wouldn't protect you from anything.Of course, my preferred solution is the one I underlined: limit core-sharing to threads from the same process. Since the performance-intensive processes tend to have plenty of threads, that should still provide most of the benefits of SMT. In Linux, that feature is called "core-scheduling":
It's been around since the 5.14 kernel, though it really should've come along even sooner. Does anyone know if Windows has an equivalent?
In order for that to be relevant, please cite a known instance of process injection which both:You can inject code into a process this wouldn't protect you from anything.
That exists in Linux, also (or numactl, if you want to do it from the commandline). What I'm talking about is a feature whereby the kernel will automatically prevent threads from different processes from getting scheduled on the same core. Like the Linux feature, in the link I provided.PS:in windows core scheduling is called affinity mask.
OMG, what does it do? Do we know? Or is that the DE_CFG[9] bit you mentioned not being able to find out about?As described in the OP, I then tried the workaround using the msr-tools commands: wrmsr -a 0xc0011029 $(($(rdmsr -c 0xc0011029) | (1<<9))) as root. After that the 3960X was no longer affected (zenbleed was no longer printing leaks.) As the OP says: This may have some performance cost. I did not test this aspect.
The latter, just wondering what bit #9 of DE_CFG is and does. Anyway, see above, there is already an AMD firmware update circulating via apt.OMG, what does it do? Do we know? Or is that the DE_CFG[9] bit you mentioned not being able to find out about?
.../...
Interesting idea. Perhaps the P-cores can be put in a special mode to disable branch prediction and speculation. As for SMT, the OS can simply avoid running a second thread on it, during the time the sensitive one is there.For future hybrid architectures, I wish dedicated security cores, without SMT, no branch prediction, constant-time execution and so on... (no out-of-order?) and with specific security features and reinforcement.
Operating systems will have to select these cores to run sensitive programs, such as encryption or keys management, and software developers will be able use specific instructions to indicate that "this piece of code can be executed on a trusted cores, if available".
I doubt it, because not every security-sensitive thread will be flagged as such.And so, P-Cores can be further optimized for performance, with little regard for security.
I don't think that is that far of a stretch. Thread Director already kind of works like that based on workload types and can be configured (to a degree). Something like a "Security Director" could work with the OS to direct sensitive content to pre-configured cores or disable some features while the branch is active.Interesting idea. Perhaps the P-cores can be put in a special mode to disable branch prediction and speculation. As for SMT, the OS can simply avoid running a second thread on it, during the time the sensitive one is there.
A hostile ad running in a web browser, while you log into your bank account (or other sensitive accounts) could steal your password. If that bothers you, then you might want to disable SMT or use a different PC for your financial activities or anything else you deem sensitive.
That's what we used to think, but you know ransomware can hit everyday users too, right? And people's banking details are bought and sold on the dark web, en masse.
I think 5 months is an expedited time frame. fTPM can be fully compromised (AMD PSP) as well and as far as I understand that cannot be fixed. At least this has a chance of being fixed. I have a 3800xt/x570 system I would like to use.I find really sad that AMD has publicly acknowledge this serious security hardware vulnerability , and have no urgency in releasing a patch for their consumer CPUs, it's 5 months to December, plenty of time to release malware and web pages with "keylogger" just waiting for you to open your online bank account. And what will be the performance hit of the patch. Legislation really have to change, tech world has too many defective hardware being sold!
Processors and computer systems already have dedicated security enclaves. Examples include AMD PSP, Intel Management Engine, ARM TrustZone, and Apple T2.For future hybrid architectures, I wish dedicated security cores, without SMT, no branch prediction, constant-time execution and so on... (no out-of-order?) and with specific security features and reinforcement.
Like Intel's infamous TSX?Operating systems will have to select these cores to run sensitive programs, such as encryption or keys management, and software developers will be able use specific instructions to indicate that "this piece of code can be executed on a trusted cores, if available".
Hackers do that to create botnets. They create a website for example which you visit or an email with a payload. They then use the botnet as a cover to make attacks. DDOS is one such attack, also sending out waves of spam emails.Im still on a 2 year old BIOS. Im not upgrading. Ya, my PC is vulnerable, to who? The random guy that's going to pick me out of a billion people and somehow know that I have a Zen 2 chip. Ya, these vulnerabilities exist, but in practice they are completely irrelevant, unless your a big datacenter/big company with sensetive data. A home PC gamer shouldn't be worried
Those security cores can't run application-level threads, which is what @Hartemis seems to be talking about. In the case of x86, they're even a different ISA.Processors and computer systems already have dedicated security enclaves. Examples include AMD PSP, Intel Management Engine, ARM TrustZone, and Apple T2.
Memory-to-memory architecture have been done, in the past. Since some of the side-channel attacks exploited the cache hierarchy, you'd also have to go without, which would really trash performance. ...unless, all the RAM it used was on-die SRAM, in which case it'd have the speed of cache without the potential for leakage. The main problem would then be the size/cost tradeoff.A common theme I see in these vulnerabilities is leaking processor state inappropriately. If you want to go to the extreme, you'd have to create a purely functional (stateless) processor... but that doesn't really solve anything because it's impractical to have a stateless system. That state has to live somewhere.
Huh? No, that's something different. That's for transactional sequences and lock elision.