162306a36Sopenharmony_ci==================================
262306a36Sopenharmony_ciRegister File Data Sampling (RFDS)
362306a36Sopenharmony_ci==================================
462306a36Sopenharmony_ci
562306a36Sopenharmony_ciRegister File Data Sampling (RFDS) is a microarchitectural vulnerability that
662306a36Sopenharmony_cionly affects Intel Atom parts(also branded as E-cores). RFDS may allow
762306a36Sopenharmony_cia malicious actor to infer data values previously used in floating point
862306a36Sopenharmony_ciregisters, vector registers, or integer registers. RFDS does not provide the
962306a36Sopenharmony_ciability to choose which data is inferred. CVE-2023-28746 is assigned to RFDS.
1062306a36Sopenharmony_ci
1162306a36Sopenharmony_ciAffected Processors
1262306a36Sopenharmony_ci===================
1362306a36Sopenharmony_ciBelow is the list of affected Intel processors [#f1]_:
1462306a36Sopenharmony_ci
1562306a36Sopenharmony_ci   ===================  ============
1662306a36Sopenharmony_ci   Common name          Family_Model
1762306a36Sopenharmony_ci   ===================  ============
1862306a36Sopenharmony_ci   ATOM_GOLDMONT           06_5CH
1962306a36Sopenharmony_ci   ATOM_GOLDMONT_D         06_5FH
2062306a36Sopenharmony_ci   ATOM_GOLDMONT_PLUS      06_7AH
2162306a36Sopenharmony_ci   ATOM_TREMONT_D          06_86H
2262306a36Sopenharmony_ci   ATOM_TREMONT            06_96H
2362306a36Sopenharmony_ci   ALDERLAKE               06_97H
2462306a36Sopenharmony_ci   ALDERLAKE_L             06_9AH
2562306a36Sopenharmony_ci   ATOM_TREMONT_L          06_9CH
2662306a36Sopenharmony_ci   RAPTORLAKE              06_B7H
2762306a36Sopenharmony_ci   RAPTORLAKE_P            06_BAH
2862306a36Sopenharmony_ci   ATOM_GRACEMONT          06_BEH
2962306a36Sopenharmony_ci   RAPTORLAKE_S            06_BFH
3062306a36Sopenharmony_ci   ===================  ============
3162306a36Sopenharmony_ci
3262306a36Sopenharmony_ciAs an exception to this table, Intel Xeon E family parts ALDERLAKE(06_97H) and
3362306a36Sopenharmony_ciRAPTORLAKE(06_B7H) codenamed Catlow are not affected. They are reported as
3462306a36Sopenharmony_civulnerable in Linux because they share the same family/model with an affected
3562306a36Sopenharmony_cipart. Unlike their affected counterparts, they do not enumerate RFDS_CLEAR or
3662306a36Sopenharmony_ciCPUID.HYBRID. This information could be used to distinguish between the
3762306a36Sopenharmony_ciaffected and unaffected parts, but it is deemed not worth adding complexity as
3862306a36Sopenharmony_cithe reporting is fixed automatically when these parts enumerate RFDS_NO.
3962306a36Sopenharmony_ci
4062306a36Sopenharmony_ciMitigation
4162306a36Sopenharmony_ci==========
4262306a36Sopenharmony_ciIntel released a microcode update that enables software to clear sensitive
4362306a36Sopenharmony_ciinformation using the VERW instruction. Like MDS, RFDS deploys the same
4462306a36Sopenharmony_cimitigation strategy to force the CPU to clear the affected buffers before an
4562306a36Sopenharmony_ciattacker can extract the secrets. This is achieved by using the otherwise
4662306a36Sopenharmony_ciunused and obsolete VERW instruction in combination with a microcode update.
4762306a36Sopenharmony_ciThe microcode clears the affected CPU buffers when the VERW instruction is
4862306a36Sopenharmony_ciexecuted.
4962306a36Sopenharmony_ci
5062306a36Sopenharmony_ciMitigation points
5162306a36Sopenharmony_ci-----------------
5262306a36Sopenharmony_ciVERW is executed by the kernel before returning to user space, and by KVM
5362306a36Sopenharmony_cibefore VMentry. None of the affected cores support SMT, so VERW is not required
5462306a36Sopenharmony_ciat C-state transitions.
5562306a36Sopenharmony_ci
5662306a36Sopenharmony_ciNew bits in IA32_ARCH_CAPABILITIES
5762306a36Sopenharmony_ci----------------------------------
5862306a36Sopenharmony_ciNewer processors and microcode update on existing affected processors added new
5962306a36Sopenharmony_cibits to IA32_ARCH_CAPABILITIES MSR. These bits can be used to enumerate
6062306a36Sopenharmony_civulnerability and mitigation capability:
6162306a36Sopenharmony_ci
6262306a36Sopenharmony_ci- Bit 27 - RFDS_NO - When set, processor is not affected by RFDS.
6362306a36Sopenharmony_ci- Bit 28 - RFDS_CLEAR - When set, processor is affected by RFDS, and has the
6462306a36Sopenharmony_ci  microcode that clears the affected buffers on VERW execution.
6562306a36Sopenharmony_ci
6662306a36Sopenharmony_ciMitigation control on the kernel command line
6762306a36Sopenharmony_ci---------------------------------------------
6862306a36Sopenharmony_ciThe kernel command line allows to control RFDS mitigation at boot time with the
6962306a36Sopenharmony_ciparameter "reg_file_data_sampling=". The valid arguments are:
7062306a36Sopenharmony_ci
7162306a36Sopenharmony_ci  ==========  =================================================================
7262306a36Sopenharmony_ci  on          If the CPU is vulnerable, enable mitigation; CPU buffer clearing
7362306a36Sopenharmony_ci              on exit to userspace and before entering a VM.
7462306a36Sopenharmony_ci  off         Disables mitigation.
7562306a36Sopenharmony_ci  ==========  =================================================================
7662306a36Sopenharmony_ci
7762306a36Sopenharmony_ciMitigation default is selected by CONFIG_MITIGATION_RFDS.
7862306a36Sopenharmony_ci
7962306a36Sopenharmony_ciMitigation status information
8062306a36Sopenharmony_ci-----------------------------
8162306a36Sopenharmony_ciThe Linux kernel provides a sysfs interface to enumerate the current
8262306a36Sopenharmony_civulnerability status of the system: whether the system is vulnerable, and
8362306a36Sopenharmony_ciwhich mitigations are active. The relevant sysfs file is:
8462306a36Sopenharmony_ci
8562306a36Sopenharmony_ci	/sys/devices/system/cpu/vulnerabilities/reg_file_data_sampling
8662306a36Sopenharmony_ci
8762306a36Sopenharmony_ciThe possible values in this file are:
8862306a36Sopenharmony_ci
8962306a36Sopenharmony_ci  .. list-table::
9062306a36Sopenharmony_ci
9162306a36Sopenharmony_ci     * - 'Not affected'
9262306a36Sopenharmony_ci       - The processor is not vulnerable
9362306a36Sopenharmony_ci     * - 'Vulnerable'
9462306a36Sopenharmony_ci       - The processor is vulnerable, but no mitigation enabled
9562306a36Sopenharmony_ci     * - 'Vulnerable: No microcode'
9662306a36Sopenharmony_ci       - The processor is vulnerable but microcode is not updated.
9762306a36Sopenharmony_ci     * - 'Mitigation: Clear Register File'
9862306a36Sopenharmony_ci       - The processor is vulnerable and the CPU buffer clearing mitigation is
9962306a36Sopenharmony_ci	 enabled.
10062306a36Sopenharmony_ci
10162306a36Sopenharmony_ciReferences
10262306a36Sopenharmony_ci----------
10362306a36Sopenharmony_ci.. [#f1] Affected Processors
10462306a36Sopenharmony_ci   https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html
105