Running Average Power Limit Energy Reporting / CVE-2020-8694 , CVE-2020-8695 / INTEL-SA-00389

Published:11/10/2020

Disclosure date: 
2020-11-10

Published date: 
2020-11-10

Severity rating: 
5.6 Medium

Industry-wide severity ratings can be found in the National Vulnerability Database


Aliases

  • Platypus

Related Content

INTEL-SA-00389

CVE-2020-8694

CVE-2020-8695

Guidelines for Mitigating Timing Side Channels Against Cryptographic Implementations

Security Best Practices for Side Channel Resistance

Overview

Most modern processors, including Intel processors, provide Running Average Power Limit (RAPL) interfaces for reporting the accumulated energy consumption of various power domains (for example, PP01 or Package). Under certain conditions, observable RAPL energy2 reporting may unintentionally allow information about the system to be inferred. This issue has been assigned CVE-2020-8695 CVSS Score: 5.3 Medium and CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N. A corresponding issue of allowing an authenticated unprivileged user to access to these interfaces has been assigned CVE-2020-8694 with CVSS 5.6 Medium and CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N.

When a CPU processes data, transistors are switched on and off depending on the data being processed. Since switching transistors uses a tiny bit of energy, there is some correlation between energy consumption and the data being processed. This physical property may lead to malicious actors correlating the system’s reported energy consumption with possible secret data being processed on the system. By performing power analysis, an adversary might be able to retrieve secret data, such as cryptographic keys across trust boundaries. 

Mitigation

OS Developers, VMM Developers, and System Administrators

There are currently no explicit use cases for unprivileged software to access RAPL interfaces. Therefore, attack scenarios from malicious unprivileged applications to other trust domains can be blocked by removing user-level read access to the MSRs. Hypervisors may choose to remove access to these MSRs for untrusted guests. Removing this access eliminates the most common avenues of accessing energy information from RAPL on the system.

System administrators can do this either by applying patch 949dd0104c49 (“powercap: restrict energy meter to root access”), in Linux* kernel 5.10.0-rc4, or manually by using the following command:

$ sudo chmod 400 /sys/class/powercap/intel-rapl*/*/energy_uj

Developers of Software Running in an Enclave

For a scenario where a privileged adversary attacks an Intel® Software Guard Extensions (Intel® SGX) enclave, the mitigation is to change the method in which energy consumption is reported when Intel® SGX is enabled, as in CVE-2020-8695.

Intel has released a microcode patch that modifies the energy information reported by RAPL when Intel SGX is enabled. Intel recommends using the FIT Microcode Update mechanism described in the Microcode Update Guidance to apply the latest microcode update. This mitigation implementation alters the internal RAPL energy reporting calculation algorithm and may decrease the accuracy of energy information as compared to the previous legacy method used when Intel SGX is disabled. This will impact the energy information from RAPL that any software reading the RAPL MSR registers will observe.

  • When Intel SGX is disabled: Legacy energy is reported, which is called unfiltered.
    • Energy information is measured by the SoC voltage regulator along with some calculated energy of unmonitored power domains.
  • When Intel SGX is enabled3: Estimated energy is reported, which is called filtered.
    • The filtered energy information is approximated using SoC activity and residency information rather than using the legacy energy information from RAPL that directly reads from the SoC voltage regulator. This calculation may include SoC voltage, frequency, C-state residency, and other factors that can be used to approximate the SoC power usage.
    • The filtered RAPL energy value will be visible to privileged software that reads MSR_PKG_Energy_Status and MSR_PP0_Energy_Status using the RDMSR instruction. RDMSR is asynchronous to internal RAPL energy reporting updates. RDMSR only captures snapshots from the latest energy information from RAPL and will not trigger new updates. The frequency that RAPL energy information is updated remains the same at ~1 ms.

The differences between filtered energy reporting when Intel SGX is enabled compared to unfiltered energy reporting will vary depending on many factors. When comparing filtered energy reporting to unfiltered energy reporting with measurements taken at 1-second intervals, the power delta can be between 0-50%, but the exact delta cannot be guaranteed.

Footnotes

  1. PP0 is a power plane for the Intel® architecture core, and Package includes all power planes.
  2. Power P = Energy E/ time t
    RAPL power information and RAPL energy reporting are used interchangeably.
  3. BIOS might allow for two modes for Intel SGX to be enabled:
    1: Software enabled by the user and a reboot is required.
    2: Intel SGX is enabled in BIOS and Intel SGX is always on.

 

Software Security Guidance Home | Advisory Guidance | Technical Documentation | Best Practices | Resources

 

Product and Performance Information

1

Performance varies by use, configuration and other factors. Learn more at www.Intel.com/PerformanceIndex.