11

Recently a security researcher made the following claim via Twitter (emphasis added):

If you're running Windows, I'm about to publish a tool that checks if you have the "Variant 3: rogue data cache load (CVE-2017-5754)" aka #Meltdown patches applied, and if you have newer Intel hardware that seems to mitigate at the hardware level. This uses a new undocumented API https://t.co/6sA8tehceg

They also expanded on this a bit to say:

There’s a new CPUID bit and MSR on models 0x36 and later, looks like.

I'm not sure if/how I can verify this researchers possible discovery, so I don't know if this is true.

Does recent Intel hardware mitigate Meltdown at the hardware level? If so, how and how well, and on what hardware?

Alexander O'Mara
  • 8,774
  • 6
  • 34
  • 38
  • Incidentally, if anyone knows what model 0x36 is, that might be a helpful hint. – Alexander O'Mara Jan 05 '18 at 14:51
  • In my personal eperience Alex Ionescu is a credible source. That members of the Microsoft Security Response Center are publishing a tool with the same functionality make this claim even more credible to me. https://twitter.com/epakskape/status/948769386906578944 – Tom K. Jan 05 '18 at 14:57
  • @Tom I agree they are credible. They do add a bit of uncertainty to their claim though, and in any case I am hoping for more details. – Alexander O'Mara Jan 05 '18 at 14:59
  • The 0x36 models seem to refer to a certain type of Intel processor. More information [here](https://software.intel.com/en-us/articles/intel-architecture-and-processor-identification-with-cpuid-model-and-family-numbers) – Tom K. Jan 05 '18 at 15:01
  • I reached out to Ionescu for comment on Twitter. – Tom K. Jan 13 '18 at 11:26

2 Answers2

4

Recent Intel CPUs have PCID. PCID helps a lot with the performance hit because without it, you have to completely separate the kernel TLB from the userspace TLB. (* Ok, not completely, but mostly). If you have PCID, then the hardware has an extra feature to avoid the performance penalty from the cache misses that would normally happen when you do that.

To answer your main question, PCID does help with the performance issues of the workaround for Meltdown, but it doesn't fix Meltdown itself. You still need to make sure you have a kernel with KPTI on Linux, or the similar kernel fixes in other operating systems.

References: https://en.wikipedia.org/wiki/Translation_lookaside_buffer#PCID https://groups.google.com/forum/#!topic/mechanical-sympathy/L9mHTbeQLNU https://en.wikipedia.org/wiki/Kernel_page-table_isolation

Jacob Brown
  • 255
  • 2
  • 7
2

I looked into the source code of the tool written by Alex Ionescu on his github page. In short: this tool checks if branch prediction is enabled for your processor or not. I haven't found a source yet, but it seems to me, that it is possible to disable branch prediction completely and therefore "mitigate" branch target injection. But this seems to be an option only available for newer Intel processors. I will check back later to see if I can find an original source for that.

What I can say though, that - if the above is true - there seems to be a certain level of mitigation at the hardware level. Not because of the architecture of these processors, but because you can configure them in a certain way "at the hardware level".which I personally think is not a great wording for this.

Microsoft in the meantime released their tool which pretty much does the same thing (checks for certain configurations and registry entries). There is something here, that is called "Hardware support for branch target injection mitigation".

I skimmed through Ionescu's Tweets and found this.

Now that the MSRs and commands are documented in Intel's excellent whitepaper [...], I've updated SpecuCheckthat's his tool to address some of its incorrect assumptions (which is why you should be using the official PowerShell Script!).

  • Alex Ionescu, 06.01.2018

There is no more output for any mitigation on hardware level. Still not sure, what the Microsoft tool is outputting.

Community
  • 1
Tom K.
  • 7,913
  • 3
  • 30
  • 53