Intel’s protected kernel memory leak fun

Hardware

John Leyden and Chris Williams have done excellent work reporting this news for The Register. Read it in full for all the details; I could barely believe it.

In short, 64-bit Intel CPUs leak protected kernel memory, and a microcode fix won’t be possible. Operating systems will have to be updated to mitigate it, which will incur a performance penalty.

AMD’s Tom Lendacky inadvertently provides the best summary:

AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against. The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.

And Postgres’s Andres Freund gives an indication of the performance impact and worst case scenario. pti is page table isolation, the immediate software workaround:

pgbench SELECT 1, 16 clients, i7-6820HQ CPU (skylake):  
pti=off: tps = 420490.162391  
pti=on: tps = 350746.065039 (~0.83x)  
pti=on, nopcid: tps = 324269.903152 (~0.77x)

This is hot on the heels of the latest Intel Management Engine problems.

There have been plenty of other issues since, but it does harken back to that Pentium F00F bug:

Due to the proliferation of Intel microprocessors, the existence of this open privilege instruction was considered a serious issue at the time. Operating system vendors responded by implementing workarounds that detected the condition and prevented the crash. Information about the bug first appeared on the Internet on or around 8 November 1997.

I still see mitigation lines against this in FreeBSD dmesg on my vintage MMX tower.

Author bio and support

Me!

Ruben Schade is a technical writer and IaaS engineer in Sydney, Australia who refers to himself in the third person in bios. Wait, not BIOS… my brain should be EFI by now.

The site is powered by Hugo, FreeBSD, and OpenZFS on OrionVM, everyone’s favourite cloud infrastructure provider.

You can leave me a comment by contacting me, and I might publish your thoughts. Please read the FAQs first though.

If you found this post helpful or entertaining, you can shout me a coffee or buy some silly merch. Thanks!