Update for QSB-101: Register File Data Sampling (XSA-452) and Intel Processor Return Predictions Advisory (INTEL-SA-00982)
QSB-101: Register File Data Sampling (XSA-452)
Update for QSB-101: Register File Data Sampling (XSA-452) and Intel Processor Return Predictions Advisory (INTEL-SA-00982)
We have updated Qubes Security Bulletin (QSB) 101: Register File Data Sampling (XSA-452) and Intel Processor Return Predictions Advisory (INTEL-SA-00982). The text of this updated QSB (including a changelog) and its accompanying cryptographic signature are reproduced below, followed by a general explanation of this announcement and authentication instructions.
Qubes Security Bulletin 101
---===[ Qubes Security Bulletin 101 ]===---
2024-03-12
Register File Data Sampling (XSA-452) and
Intel Processor Return Predictions Advisory (INTEL-SA-00982)
Changelog
----------
2024-03-12: Original QSB
2024-03-17: Add information about INTEL-SA-00982
User action
------------
Continue to update normally [1] in order to receive the security updates
described in the "Patching" section below. No other user action is
required in response to this QSB.
Summary
--------
On 2024-03-12, the Xen Project published XSA-452, "x86: Register File
Data Sampling" [3]:
| Intel have disclosed RFDS, Register File Data Sampling, affecting some
| Atom cores.
|
| This came from internal validation work. There is no information
| provided about how an attacker might go about inferring data from the
| register files.
For more information, see Intel's security advisory. [4]
In addition, Intel published INTEL-SA-00982/CVE-2023-38575 [6] on the
same day:
| Non-transparent sharing of return predictor targets between contexts
| in some Intel Processors may allow an authorized user to potentially
| enable information disclosure via local access.
Information about this vulnerability is very sparse.
Impact
-------
On systems affected by Register File Data Sampling (RFDS), an attacker
might be able to infer the contents of data previously held in floating
point, vector, and/or integer register files on the same core, including
data from a more privileged context.
On systems affected by INTEL-SA-00982, an attacker might be able to leak
information from other security contexts, but the precise impact is
unclear.
Affected systems
-----------------
At present, Register File Data Sampling (RFDS) is known to affect only
certain Atom cores from Intel. Other Intel CPUs and CPUs from other
hardware vendors are not known to be affected. RFDS affects Atom cores
between the Goldmont and Gracemont microarchitectures. This includes
Alder Lake and Raptor Lake hybrid client systems that have a mix of
Gracemont and other types of cores.
At the time of this writing, Intel has not published information about
which systems INTEL-SA-00982 affects. Systems that are still receiving
microcode updates from Intel [7] and that received a microcode update as
part of the microcode release on 2024-03-12 [5] may be affected, even if
they are not affected by RFDS.
Patching
---------
The following packages contain security updates that address the
vulnerabilities described in this bulletin:
For Qubes 4.1, in dom0:
- Xen packages version 4.14.6-7
- microcode_ctl 2.1-57.qubes1
For Qubes 4.2, in dom0:
- Xen packages version 4.17.3-4
- microcode_ctl 2.1-57.qubes1
These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [2] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [1]
Dom0 must be restarted afterward in order for the updates to take
effect.
If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.
Credits
--------
See the original Xen Security Advisory.
References
-----------
[1] https://www.qubes-os.org/doc/how-to-update/
[2] https://www.qubes-os.org/doc/testing/
[3] https://xenbits.xen.org/xsa/advisory-452.html
[4] https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/register-file-data-sampling.html
[5] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/blob/main/releasenote.md#microcode-20240312
[6] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00982.html
[7] https://www.intel.com/content/www/us/en/support/articles/000022396/processors.html
The Qubes Security Team
https://www.qubes-os.org/security/
Source: https://github.com/QubesOS/qubes-secpack/blob/c5693c8a4b81b3afb7cd7e6e44db3bbc36987049/QSBs/qsb-101-2024.txt
Marek Marczykowski-Górecki’s PGP signature
At the time of this writing, Marek is traveling and is therefore not available to sign this QSB update. He will sign it when he returns. In the meantime, you can still authenticate his original signature on the original version of this QSB. For more information, see the original QSB-101 announcement.
Simon Gaiser (aka HW42)’s PGP signature
QSB-101: Register File Data Sampling (XSA-452)
Note: A newer version of this QSB has been published. See Update for QSB-101: Register File Data Sampling (XSA-452) and Intel Processor Return Predictions Advisory (INTEL-SA-00982).
We have published Qubes Security Bulletin (QSB) 101: Register File Data Sampling (XSA-452). The text of this QSB and its accompanying cryptographic signatures are reproduced below. For an explanation of this announcement and instructions for authenticating this QSB, please see the end of this announcement.
Qubes Security Bulletin 101
---===[ Qubes Security Bulletin 101 ]===---
2024-03-12
Register File Data Sampling (XSA-452)
User action
------------
Continue to update normally [1] in order to receive the security updates
described in the "Patching" section below. No other user action is
required in response to this QSB.
Summary
--------
On 2024-03-12, the Xen Project published XSA-452, "x86: Register File
Data Sampling" [3]:
| Intel have disclosed RFDS, Register File Data Sampling, affecting some
| Atom cores.
|
| This came from internal validation work. There is no information
| provided about how an attacker might go about inferring data from the
| register files.
For more details, see [4].
Impact
-------
An attacker might be able to infer the contents of data held previously
in floating point, vector, and/or integer register files on the same
core, including data from a more privileged context.
Affected systems
-----------------
At present, RFDS is known to affect only certain Atom cores from Intel.
Other Intel CPUs and CPUs from other hardware vendors are not known to
be affected.
RFDS affects Atom cores between the Goldmont and Gracemont
microarchitectures. This includes Alder Lake and Raptor Lake hybrid
client systems that have a mix of Gracemont and other types of cores.
Patching
---------
The following packages contain security updates that address the
vulnerabilities described in this bulletin:
For Qubes 4.1, in dom0:
- Xen packages version 4.14.6-7
- microcode_ctl 2.1-57.qubes1
For Qubes 4.2, in dom0:
- Xen packages version 4.17.3-4
- microcode_ctl 2.1-57.qubes1
These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [2] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [1]
Dom0 must be restarted afterward in order for the updates to take
effect.
If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.
Credits
--------
See the original Xen Security Advisory.
References
-----------
[1] https://www.qubes-os.org/doc/how-to-update/
[2] https://www.qubes-os.org/doc/testing/
[3] https://xenbits.xen.org/xsa/advisory-452.html
[4] https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/register-file-data-sampling.html
The Qubes Security Team
https://www.qubes-os.org/security/
Source: https://github.com/QubesOS/qubes-secpack/blob/77c2be52eabbc37f2840308f99952fa9baaa198d/QSBs/qsb-101-2024.txt
Marek Marczykowski-Górecki’s PGP signature