summaryrefslogtreecommitdiffstats
path: root/debian/patches/bugfix/x86/Documentation-hw-vuln-Add-documentation-for-RFDS.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/bugfix/x86/Documentation-hw-vuln-Add-documentation-for-RFDS.patch')
-rw-r--r--debian/patches/bugfix/x86/Documentation-hw-vuln-Add-documentation-for-RFDS.patch140
1 files changed, 0 insertions, 140 deletions
diff --git a/debian/patches/bugfix/x86/Documentation-hw-vuln-Add-documentation-for-RFDS.patch b/debian/patches/bugfix/x86/Documentation-hw-vuln-Add-documentation-for-RFDS.patch
deleted file mode 100644
index 781be97097..0000000000
--- a/debian/patches/bugfix/x86/Documentation-hw-vuln-Add-documentation-for-RFDS.patch
+++ /dev/null
@@ -1,140 +0,0 @@
-From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
-Date: Mon, 11 Mar 2024 12:29:43 -0700
-Subject: Documentation/hw-vuln: Add documentation for RFDS
-Origin: https://git.kernel.org/linus/4e42765d1be01111df0c0275bbaf1db1acef346e
-
-Add the documentation for transient execution vulnerability Register
-File Data Sampling (RFDS) that affects Intel Atom CPUs.
-
-Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
-Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
-Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
-Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
----
- Documentation/admin-guide/hw-vuln/index.rst | 1 +
- .../hw-vuln/reg-file-data-sampling.rst | 104 ++++++++++++++++++
- 2 files changed, 105 insertions(+)
- create mode 100644 Documentation/admin-guide/hw-vuln/reg-file-data-sampling.rst
-
-diff --git a/Documentation/admin-guide/hw-vuln/index.rst b/Documentation/admin-guide/hw-vuln/index.rst
-index de99caabf65a..ff0b440ef2dc 100644
---- a/Documentation/admin-guide/hw-vuln/index.rst
-+++ b/Documentation/admin-guide/hw-vuln/index.rst
-@@ -21,3 +21,4 @@ are configurable at compile, boot or run time.
- cross-thread-rsb
- srso
- gather_data_sampling
-+ reg-file-data-sampling
-diff --git a/Documentation/admin-guide/hw-vuln/reg-file-data-sampling.rst b/Documentation/admin-guide/hw-vuln/reg-file-data-sampling.rst
-new file mode 100644
-index 000000000000..0585d02b9a6c
---- /dev/null
-+++ b/Documentation/admin-guide/hw-vuln/reg-file-data-sampling.rst
-@@ -0,0 +1,104 @@
-+==================================
-+Register File Data Sampling (RFDS)
-+==================================
-+
-+Register File Data Sampling (RFDS) is a microarchitectural vulnerability that
-+only affects Intel Atom parts(also branded as E-cores). RFDS may allow
-+a malicious actor to infer data values previously used in floating point
-+registers, vector registers, or integer registers. RFDS does not provide the
-+ability to choose which data is inferred. CVE-2023-28746 is assigned to RFDS.
-+
-+Affected Processors
-+===================
-+Below is the list of affected Intel processors [#f1]_:
-+
-+ =================== ============
-+ Common name Family_Model
-+ =================== ============
-+ ATOM_GOLDMONT 06_5CH
-+ ATOM_GOLDMONT_D 06_5FH
-+ ATOM_GOLDMONT_PLUS 06_7AH
-+ ATOM_TREMONT_D 06_86H
-+ ATOM_TREMONT 06_96H
-+ ALDERLAKE 06_97H
-+ ALDERLAKE_L 06_9AH
-+ ATOM_TREMONT_L 06_9CH
-+ RAPTORLAKE 06_B7H
-+ RAPTORLAKE_P 06_BAH
-+ ATOM_GRACEMONT 06_BEH
-+ RAPTORLAKE_S 06_BFH
-+ =================== ============
-+
-+As an exception to this table, Intel Xeon E family parts ALDERLAKE(06_97H) and
-+RAPTORLAKE(06_B7H) codenamed Catlow are not affected. They are reported as
-+vulnerable in Linux because they share the same family/model with an affected
-+part. Unlike their affected counterparts, they do not enumerate RFDS_CLEAR or
-+CPUID.HYBRID. This information could be used to distinguish between the
-+affected and unaffected parts, but it is deemed not worth adding complexity as
-+the reporting is fixed automatically when these parts enumerate RFDS_NO.
-+
-+Mitigation
-+==========
-+Intel released a microcode update that enables software to clear sensitive
-+information using the VERW instruction. Like MDS, RFDS deploys the same
-+mitigation strategy to force the CPU to clear the affected buffers before an
-+attacker can extract the secrets. This is achieved by using the otherwise
-+unused and obsolete VERW instruction in combination with a microcode update.
-+The microcode clears the affected CPU buffers when the VERW instruction is
-+executed.
-+
-+Mitigation points
-+-----------------
-+VERW is executed by the kernel before returning to user space, and by KVM
-+before VMentry. None of the affected cores support SMT, so VERW is not required
-+at C-state transitions.
-+
-+New bits in IA32_ARCH_CAPABILITIES
-+----------------------------------
-+Newer processors and microcode update on existing affected processors added new
-+bits to IA32_ARCH_CAPABILITIES MSR. These bits can be used to enumerate
-+vulnerability and mitigation capability:
-+
-+- Bit 27 - RFDS_NO - When set, processor is not affected by RFDS.
-+- Bit 28 - RFDS_CLEAR - When set, processor is affected by RFDS, and has the
-+ microcode that clears the affected buffers on VERW execution.
-+
-+Mitigation control on the kernel command line
-+---------------------------------------------
-+The kernel command line allows to control RFDS mitigation at boot time with the
-+parameter "reg_file_data_sampling=". The valid arguments are:
-+
-+ ========== =================================================================
-+ on If the CPU is vulnerable, enable mitigation; CPU buffer clearing
-+ on exit to userspace and before entering a VM.
-+ off Disables mitigation.
-+ ========== =================================================================
-+
-+Mitigation default is selected by CONFIG_MITIGATION_RFDS.
-+
-+Mitigation status information
-+-----------------------------
-+The Linux kernel provides a sysfs interface to enumerate the current
-+vulnerability status of the system: whether the system is vulnerable, and
-+which mitigations are active. The relevant sysfs file is:
-+
-+ /sys/devices/system/cpu/vulnerabilities/reg_file_data_sampling
-+
-+The possible values in this file are:
-+
-+ .. list-table::
-+
-+ * - 'Not affected'
-+ - The processor is not vulnerable
-+ * - 'Vulnerable'
-+ - The processor is vulnerable, but no mitigation enabled
-+ * - 'Vulnerable: No microcode'
-+ - The processor is vulnerable but microcode is not updated.
-+ * - 'Mitigation: Clear Register File'
-+ - The processor is vulnerable and the CPU buffer clearing mitigation is
-+ enabled.
-+
-+References
-+----------
-+.. [#f1] Affected Processors
-+ https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html
---
-2.43.0
-