'Beyond stupid': Linus Torvalds trashes 5.8 Linux kernel patch over opt-in Intel CPU bug mitigation

AWS engineers given a dressing-down after proposing fix for 'paranoid' tasks


Linus Torvalds has removed a patch in the next release of the Linux kernel intended to provide additional opt-in mitigation of attacks against the L1 data (L1D) CPU cache.

The patch from AWS engineer Balbir Singh was to provide "an opt-in (prctl driven) mechanism to flush the L1D cache on context switch. The goal is to allow tasks that are paranoid due to the recent snoop-assisted data sampling vulnerabilities, to flush their L1D on being switched out. This protects their data from being snooped or leaked via side channels after the task has context switched out."

Snoop-assisted L1 data sampling is one of a family of vulnerabilities in Intel microprocessors where malware may be able to infer private and sensitive data via inspecting the cache. "Snoop-assisted L1D sampling requires the snoop to hit a modified cache line in the exact same single core clock cycle window as the faulting/assisting/aborting load," explains Chipzilla.

Clearing the cache whenever the active thread or process switches out attempts to mitigate this and other potential threats, but harms performance.

The patch was added to the code for the 5.8 kernel, which will be the next release, but removed after review by Torvalds. "It looks to me like this basically exports cache flushing instructions to user space, and gives processes a way to just say 'slow down anybody else I schedule with too'," he said. "In other words, from what I can tell, this takes the crazy 'Intel ships buggy CPU's and it causes problems for virtualization' code (which I didn't much care about), and turns it into 'anybody can opt in to this disease, and now it affects even people and CPUs that don't need it and configurations where it's completely pointless'.

"I don't want some application to go 'Oh, I'm _soo_ special and pretty and such a delicate flower, that I want to flush the L1D on every task switch, regardless of what CPU I am on, and regardless of whether there are errata or not' … I do not want the kernel to do things that seem to be "beyond stupid".

Illustration of chip security

Meltdown The Sequel strikes Intel chips – and full mitigation against data-meddling LVI flaw will slash performance

READ MORE

There are plenty of nuances here. One of Torvald's points is that if SMT (simultaneous multi-threading or "hyper threading") is enabled then flushing the cache "is crazy, since an attacker would just sit on a sibling core and attack the L1 contents *before* the task switch happens," he said. In this scenario, "it's just an incredibly stupid waste of time and effort to do that, and I can see some poor hapless ssh developer saying 'yes, I should enable this thing because ssh is very special', and then ssh just starts wasting time on something that doesn't actually help." He added that the code is hard to follow, saying "some of the code scares me."

Another question is whether it makes sense to do this mitigation at a low level when it may not matter, because all the processes belong to the same user. "Context switch in itself isn't really relevant as a security domain transfer, but it *is* relevant in the sense that switching from one user to another is a sign of 'uhhuh, now maybe I should be careful when returning to user mode'," said Torvalds.

Singh replied: "I am not so sure. A user can host multiple tasks and if one of them was compromised, it would be bad to let it allow the leak to happen. For example if the plugin in a browser could leak a security key of a secure session, that would be bad."

The discussion reveals the frustration among the kernel maintainers over the difficulty of keeping Linux secure in the face of CPU bugs, and the fact that these cache-related attacks have so many variations. Referencing a past software fallback for clearing the data buffers to address am MDS (Microarchitectural Data Sampling) bug, Torvalds said: "That one turned out to be not only incredibly expensive, but it didn't work reliably anyway, and was really only written for one microarchitecture."

Amazon as a public cloud provider is particularly sensitive to these data-stealing vulnerabilities because of the implications if one customer were able to spy on the data belonging to another, or data on a virtual machine host. Another AWS engineer, Benjamin Herrenschmidt, entered the discussion to explain: "These patches aren't trying to solve problems happening inside of a customer VM running SMT nor are they about protecting VMs against other VMs on the same system." AWS has a vast range of services all of which need to be secure.

Torvalds said that he is "more than happy to be educated on why I'm wrong" but that "for now I'm unpulling it for lack of data." If AWS can convince him of the value of the patch, it may return. ®

Similar topics


Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022