The Advanced Programmable Interrupt Controller (APIC) is an integrated CPU component responsible for accepting, prioritizing, and dispatching interrupts to logical processors (LPs). The APIC can operate in xAPIC mode, also known as legacy mode, in which APIC configuration registers are exposed through a memory-mapped I/O (MMIO) page. On some processors, incorrectly aligned reads from addresses in the xAPIC MMIO page could return stale data, which may correspond to data previously accessed by the same processor core that is reading the xAPIC page. Note that naturally aligned 8-byte loads are not affected by this behavior. Intel recommends that operating systems (OSes) and virtual machine monitors (VMMs) enable x2APIC mode, which disables the xAPIC MMIO page and instead exposes APIC registers through model-specific registers (MSRs). This mitigates the issue. Note that APIC virtualization is not affected; this behavior only applies to access to the physical xAPIC MMIO page. Intel® Software Guard Extensions (Intel® SGX) includes a strong threat model that identifies all software running outside an Intel SGX enclave as untrusted, including the OS/VMM. As a result, Intel SGX enclaves cannot assume the OS/VMM will enable x2APIC mode. Intel has provided a microcode update (MCU) to mitigate potential exposure of secret stale data by clearing buffers when an LP exits an enclave. This mitigation assumes that Intel® Hyper-Threading Technology (Intel® HT Technology) is disabled, as documented in the Processor MMIO Stale Data vulnerabilities technical article. ~~~ https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html ~~~ Although this MCU mitigates potential exposure of data after an LP exits an enclave, enclave data could also be exposed when an enclave reads data from outside its own linear memory range (ELRANGE). This may occur when a malicious OS/VMM maps the xAPIC into an enclave-accessible page outside of ELRANGE. If the enclave unintentionally accesses the xAPIC in an attempt to read memory, it may receive stale enclave data instead of the data that it had attempted to read. The enclave may then unintentionally perform an operation that could allow an attacker to infer this data. Intel is providing an updated Intel SGX Software Development Kit (SDK) that helps mitigate potential exposure under this scenario. The updated SDK reads data from outside the enclave’s ELRANGE at a size and alignment of 8 bytes. It also provides new programming interfaces that can be used by developers to ensure that enclave application code reads data from outside the enclave’s ELRANGE at a minimum alignment of 8 bytes. Some enclave developers may choose to update their Intel® SGX software once the updated SDK is available. In the future, Intel expects to provide an additional MCU to prevent secret stale data from potentially being exposed in this manner, with or without the software mitigations provided by the updated Intel SGX SDK. Intel is not aware of any impact to system management mode (SMM). Existing guidance for protecting SMM secrets continues to apply. Notably, when Intel HT Technology is enabled, SMM secrets to be protected against an OS adversary should be accessed only after LPs rendezvous. These secrets should not be accessed after the point where LPs may start leaving SMM.
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2117009]