This security announcement details an AMD side channel attack that impacts AMD Zen 2 processors. Oxide products are not impacted by this security vulnerability. This notice provides additional context on this side channel attack that relies upon speculative execution in the processor and is provided as additional background to aid in understanding this and related issues. AMD calls this AMD-SB-7008 Cross-Process Information Leak.
Revision | Date (YYYYMMDD) | Changes |
---|---|---|
1.0 | 20230808 | Initial Release |
Impacted Products
No Oxide products are impacted by this issue. No Oxide computer can boot or operate with an AMD Zen 2 processor installed, nor will that be offered in the future. This vulnerability impacts AMD Zen 2 based CPUs which include the following:
AMD EPYC 7XX2 Rome (Family 17h, model 31h)
AMD Threadripper 3000 series Castle Peak (Family 17h, model 31h)
AMD Ryzen 3000 Series Matisse
AMD Ryzen 4000 Series Renoir (family 17h, model 60h)
AMD Ryzen 5000 Series Lucienne (family 17h, model 68h)
AMD Ryzen 7020 Series Mendocino (Family 17h, model a0h)
Impact
There is no impact from this issue for Oxide products. The following only applies to non-Oxide systems.
This vulnerability allows the leaking of the upper 128-bits of the FPU registers, which depending on the specifics of an operating system, can contain sensitive information as many implementations of cryptography algorithms or even basic memory copying leverage these registers. This allows a process running on a core to see information left behind by a prior process (regardless of whether that process is inside a virtual machine or not).
Action Required
There is no action required for Oxide products.
For other products and systems, please follow your vendor’s documentation for determining if a Zen 2 CPU is installed is installed. If you have a Zen 2 based CPU listed above installed in a non-Oxide computer, please check that system’s OS or BIOS vendor to see if a CPU microcode update is available.
Mitigations
There are no mitigations available for Oxide systems as Oxide products are not impacted by this vulnerability.
Technical Background
For a more detailed explanation, please see the write up from Tavis Ormandy who discovered this vulnerability.
AMD CPUs support the AVX family of instructions. These instructions
extend the CPU’s vector registers to 256-bits often referred to as the
YMM registers. These registers shadow the original 128-bit XMM
registers. That is, %xmm0[127:0]
is the same a %ymm0[127:0]
. When
switching between the different classes of instructions, it is often
required to zero the upper 128-bits of a YMM register. This is most
often done with an explicit x86 instruction called vzeroupper
which
zeros all upper bits of the vector registers.
While x86 registers are explicitly named in the assembler, internally
the CPU is much more complex and the common names of registers points to
a register file . These hardware resources are
shared between both hardware threads within the core and is not
statically partitioned. When the vzeroupper
instruction is used,
rather than actually zero the underlying data, it will often just set a
flag indicating that this is the case in the hardware.
The problem occurs when the CPU speculatively executes a vzeroupper
and
then aborts that due to a misprediction. This can lead the register
contents to then contain the prior contents prior to setting the zero
flag. This allows another user to read the prior data that was put into
the register by either hardware thread.
Additional Information
The following URLs provide additional information about this vulnerability.