New side-channel attack against apple CPUs

Hector Martin confirms that there is indeed a chicken bit to turn the DMP off and ensure correct behavior for the M2. He doesn’t have an M1 right now but it should be there too.

Hector Martin (@marcan@treehouse.systems)

Found the DMP disable chicken bit. it's `HID11_EL1<30>` (at least on M2). So yeah, as I predicted, GoFetch is entirely patchable. I'll write up a patch for Linux to hook it up as a CPU security bug workaround. (`HID4_EL1<4>` also works, but we have a name for that and it looks like a big...
social.treehouse.systems social.treehouse.systems

So it is at least patchable. Another tidbit of note:

One interesting finding is that the DMP is already disabled in EL2 (and presumably EL1), it only works in EL0. So it looks like the CPU designers already had some idea that it is a security liability, and chose to hard-disable it in kernel mode. This means kernel-mode crypto on Linux is already intrinsically safe.
Click to expand...
 
Last edited:

Similar threads

Cmaier
Another side channel attack: AMD this time
Replies
16
Views
746
throAU
T
Cmaier
Hertzbleed: New x86 side-channel attack
Replies
4
Views
270
Cmaier
Cmaier
Back
Top