Side-Channel Security Issue: Intel® Software Support
On January 3, 2018, a team of security researchers disclosed several software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from a variety of computing devices with various vendors' processors and operating systems.
To address the recent security advisory, we have collected some information that may be helpful. If you are working with an Intel field representative, please continue to do so.
Learn about the side-channel vulnerability and how to implement the latest mitigations.
Retpoline: A Branch Target Injection Mitigation (PDF)
Details, exploit conditions, and mitigations for the exploit known as Branch Target Injection (Spectre variant 2)
Mitigation Overview for Potential Side-Channel Cache Exploits in Linux* (PDF)
Recommendations for mitigating the three variants for Linux
Speculative Execution Side-Channel Mitigations (PDF)
A detailed explanation of the security vulnerabilities and possible mitigations
Intel Analysis of Speculative Execution Side Channels (PDF)
Overview of the three variants along with related Intel security features
Use Intel® Compilers to Mitigate Speculative Execution Side-Channel Issues
Intel® C++ Compiler and Intel® Fortran Compiler support for speculative execution side-channel mitigations
Get more information from third-party operating system vendors, cloud service providers, and virtualization stacks about updating a particular product. Links constantly change, so check back regularly.
Last updated on March 23, 2018
- What are the affected Intel® processors?
- For more information, see Side-Channel Analysis Facts and Intel Products.
- What is the advocated method to mitigate Bounds Check Bypass (Spectre variant 1)?
- Some mitigations have been developed and we expect the ecosystem to continue. Please check back for updates. For details, see Speculative Execution Side-Channel Mitigations and Intel Analysis of Speculative Execution Side-Channels White Paper.
- What is the advocated method to mitigate Branch Target Injection (Spectre variant 2)?
- At a minimum, you need a toolchain and kernel that support retpoline sequences. The kernel support for retpoline sequences is upstream in kernel version 4.15 and has been backported to versions 4.14 and 4.9. For details, see Speculative Execution Side-Channel Mitigations and Intel Analysis of Speculative Execution Side-Channels White Paper. In many cases, a microcode update is recommended, as well.
- Where can I learn more about retpoline?
- Google's support page provides details on how retpoline works to isolate indirect branches from speculative execution.
- What is the advocated method to mitigate Rogue Data Cache Load (Meltdown variant 3)?
- You need a kernel supporting kernel page table isolation (KPTI). For more details about support for specific releases, see Mitigation Status by Kernel Version. Note that functionality similar to KPTI is provided by KAISER in kernel version 4.9 and earlier.
- Do I need a microcode update?
- For Intel® processors of the Broadwell generation and later, maximum mitigation with retpoline requires following Intel’s microcode recommendations. See the security advisory for the latest details on which options are available. This is especially true when mitigating potential side-channel cache exploits.
- How do I update the microcode?
- Intel always recommends running the latest microcode for your system by using an updated BIOS or by OS loading of microcode updates if supported by the platform. See the security advisory for the latest details on what options are available. This is especially true when mitigating potential side-channel cache exploits.
- What should I do if I'm running a 3.x kernel?
- If you are working with a Linux distribution, contact the vendor. Otherwise, the recommendation is to move to kernel version 4.14. See links in the Resources section.
- What should I do if I’m running a Linux distribution?
- Contact your operating system vendor. Find information about third-party systems in the Resources section.
- Is mitigation for Bounds Check Bypass (Spectre variant 1) complete?
- The Linux kernel mitigations for Bounds Check Bypass are focused on direct mitigations for the exploits described by Google Project Zero, as well as the addition of infrastructure to the upstream kernel to support future mitigations. This set of mitigations may grow over time as the industry response matures through improved tooling and increased developer awareness.
- Is IBRS supported in virtual machines running under KVM?
- Mitigation against Branch Target Injection (Spectre variant 2) in the upstream kernel is primarily provided by retpoline. However, virtual machines running under Kernel-based Virtual Machine (KVM) might be running operating systems that are mitigated using indirect branch restricted speculation (IBRS). There is an active upstream effort to support this use case.
- Is KPTI useful outside of a mitigation for Rogue Data Cache Load (Meltdown variant 3)?
- Yes. Kernel page table isolation (KPTI) hardens the kernel address space layout randomization (KASLR) mechanism. In addition, KPTI provides mitigation against a class of exploit methods that subvert the kernel to execute attacker-provided code in application memory. The software-driven mitigation of KPTI is very similar in behavior to a hardware mitigation called supervisor mode execution protection (SMEP).
- How are the IBRS and STIBP MSRs used when the operating system supports retpoline?
- IBRS and single thread indirect branch predictors (STIBP) are two model specific registers (MSR) defined in the Speculative Execution Side-Channel Mitigations white paper. When a Linux kernel supports retpoline, these MSRs are not used to mitigate attacks against the kernel itself. However, they are still available for use by virtual machines to mitigate Spectre variant 2.