MXCSR Configuration Dependent Timing

author-image

作者

Introduction

The Data Operand Independent Timing Instruction Set Architecture (DOIT ISA) document describes a new feature  which in conjunction with our guidance on Guidelines for Mitigating Timing Side Channels Against Cryptographic Implementations can be used for “constant time” execution for code specifically written to the guidelines. This mode allows constant time code to inform the processor that data operand independent timing is needed.

On certain processors, MXCSR may also need to be configured to avoid data-dependent behavior for the instructions listed in Data Operand Independent Timing Instructions That May Exhibit MXCSR Configuration Dependent Timing Behavior. This article describes that behavior and configuration.

"

MXCSR Configuration Dependent Timing (MCDT)

On certain processors as listed in MCDT Enumeration, some data-independent timing vector instructions may have subtle data-dependent timing due to MXCSR configuration. Specifically, specific data values may delay instruction retirement by, at most, one cycle. This is a small enough delay that it may not be observable in common practice, but this small delay is still data-dependent timing. This data operand-dependent timing may impact software following Intel’s Guidelines for Mitigating Timing Side Channels Against Cryptographic Implementations.

Hardware

Future processors are not expected to exhibit data operand dependent timing due to MXCSR configuration. This will be enumerated by CPUID.(EAX=7H,ECX=2):EDX[5]=1. Many current processors which are also not affected are listed in the Processors That Do Not Exhibit MCDT Behavior section.

Software Mitigations

Some environments may conclude that this side channel is minor and does not need mitigation. 

For systems that do not enumerate CPUID.(EAX=7H,ECX=2):EDX[5]=1, software that does need mitigation can mitigate the data-dependent timing by loading MXCSR with the value of 0x1FBF before using data operand independent timing instructions impacted by the MXCSR configuration. Software must use pre- and post-serialized LDMXCSR instructions before using impacted data operand independent timing instructions.

Prolog:
STMXCSR save_val
LDMXCSR value_0x1fbf
LFENCE
// Constant-time code using affected instructions
Epilog:
LFENCE
LDMXCSR save_val

For applications that do not otherwise depend on a specific value of MXCSR, the value of 0x1FBF can be established during the initialization of the application and mitigate the data dependent timing with minimal overhead.

Instructions That May Exhibit MCDT Behavior

This list is based on Intel's investigation and is current as of the date of publication. Intel will update this list if additional instructions with these characteristics are discovered.

  • PMADDUBSW
  • PMULUDQ
  • VPMULHRSW
  • PMADDWD
  • VPLZCNTD    
  • VPMULHUW
  • PMULDQ
  • VPLZCNTQ
  • VPMULHW
  • PMULHRSW
  • VPMADD52HUQ
  • VPMULLD
  • PMULHUW
  • VPMADD52LUQ
  • VPMULLQ
  • PMULHW
  • VPMADDUBSW
  • VPMULLW
  • PMULLD
  • VPMADDWD
  • VPMULUDQ
  • PMULLW
  • VPMULDQ

Intel® Software Guard Extensions (Intel® SGX)

Although instructions inside enclave mode will act as if data operand independent timing mode is set, they may still exhibit MCDT behavior.

If the intended operation of an Intel SGX enclave, for the lifetime of the enclave, is achievable with MXCSR=0x1FBF, then any loads of MXCSR (via LDMXCSR, XRSTOR, etc.) should be of 0x1FBF. There should also be an LFENCE between any load of MXCSR (even of 0x1FBF) and subsequent use of any affected instruction. 

If the enclave is compatible with MXCSR=0x1FBF and uses any of the affected instructions, then the beginning of each enclave ECALL should change MXCSR to 0x1FBF and then execute an LFENCE instruction. The Intel SGX SDK will be changed to do this.

The Intel-provided SGX architectural enclaves (AEs) fall into this compatible with MXCSR=0x1FBF category.

If the intended operation of an Intel SGX enclave is not achievable with MXCSR=0x1FBF, then the general sequence in the Software Mitigations section should be used instead.

"

Enumeration and Architectural MSRs

MCDT Enumeration

CPUID.(EAX=7H,ECX=2):EDX[5] enumerates MCDT_NO. Processors that enumerate this bit as 1  do not exhibit MCDT behavior and do not need to be mitigated. Note that Intel Atom and pre-Skylake Intel Core processors may not enumerate MCDT_NO but nevertheless do not exhibit MCDT behavior. Refer to the Processors That May Exhibit MCDT Behavior section and the Processors That Do Not Exhibit MCDT Behavior section for more infomation about these processors.

MCDT Enumeration Guidance for Cryptographic Software

CPUID leaf 7 subleaf 2 EDX bit 5 enumerates MCDT_NO. Processors that enumerate this bit as 1 do not exhibit MXCSR Configuration Dependent Timing behavior and do not need to mitigate it. Intel Atom and Intel Core processors based on microarchitectures prior to Skylake may not exhibit MCDT behavior despite not enumerating MCDT_NO. Refer to the Processors That Do Not Exhibit MCDT Behavior section for more information.

Cryptography developers who wish to apply MCDT mitigations should use the following steps to determine if MCDT mitigation should be applied:

The cryptography software should determine if MCDT_NO is enumerated as 1. If it is, then no mitigation needs to be applied.

If MCDT_NO is enumerated as 0, the cryptography software should determine if it is running in a virtualized environment by checking the value of CPUID leaf 1 ECX bit 31.

If CPUID leaf 1 ECX bit 31 is 0, then a hypervisor is not present, and the cryptography software should use CPUID family/model/stepping to determine if it is running on a processor documented as not exhibiting MCDT behavior. 

If CPUID leaf 1 ECX bit 31 is 1, then a hypervisor is present and the cryptography software may be running on a processor that does not exhibit MCDT behavior, regardless of the family/ model/stepping that is enumerated due to virtualization of CPUID.

VMM Guidance for Non-Migratable and Migratable VMs

For non-migratable VMs, VMM software should enumerate MCDT_NO  as 1 to a guest only if the host physical machine either enumerates MCDT_NO as 1 or a CPUID family/model/stepping that matches a processor documented to not exhibit MCDT behavior in the section Processors That Do Not Exhibit MCDT Behavior section.

For migratable VMs, VMM software should enumerate MCDT_NO as 1 only if every host physical machine that the VM may potentially migrate to either enumerates MCDT_NO as 1 or a CPUID family/model/stepping that matches a processor documented to not exhibit MCDT behavior in the Processors That Do Not Exhibit MCDT Behavior section.

"

Processors That May Exhibit MCDT Behavior

All Intel Core processors based on microarchitecture code named Skylake and later exhibit this behavior for at least one instruction from the list in the Example Instructions That May Exhibit MCDT Behavior section.

Table 1: Processors That May Exhibit MCDT Behavior
Processor Stepping (All unless otherwise noted) Code Name (s) / Microarchitecture (s) Product Family
06_4EH 3 1. Skylake Y
2. Skylake U
3. Skylake U23e
6th Generation Intel® Core™ Processor Family
06_55H 3, 4 1. Skylake Server
2. Skylake D, Bakerville
3. Skylake W
4. Skylake X
 
1. Intel® Xeon® Scalable processor family
2. Intel® Xeon® D processor family
3. Intel® Xeon® W processor family
4. Intel® Core™ X-series Processors
06_55H 6.7 1. Cascade Lake Server
2. Cascade Lake W
3. Cascade Lake X
1. 2nd Generation Intel® Xeon® Scalable processor family
2. Intel® Xeon® W processor family
3. Intel® Core™ X-series Processor
06_55H <=B Cooper Lake 3rd Generation Intel® Xeon® Scalable processor family
06_5EH 3 1. Skylake Xeon E3
2. Skylake H
3. Skylake S 

1. Intel® Xeon® E processor family
2, 3. 6th Generation Intel® Core™ Processor Family

06_6AH 4,5,6 Ice Lake Xeon-SP 3rd Gen Intel® Xeon® Scalable processor family
06_6CH 1 Ice Lake D Intel® Xeon® D Processor
06_7EH 5 Ice Lake U,Y 10th Generation Intel® Core™ Processor Family
06_8AH 1 Lakefield B-step  Intel® Core™ Processors with Intel® Hybrid Technology
06_8CH 1,2 Tiger Lake U
Tiger Lake U Refresh  
Tiger Lake H35
11th Generation Intel® Core™ Processor Family
06_8DH 1 Tiger Lake H   11th Generation Intel® Core™ Processor Family
Intel® Xeon® Processor Family
06_8EH 9 1. Amber Lake-Y 
2. Kaby Lake U
3. Kaby Lake U23e
4. Kaby Lake Y
1. 8th Generation Intel® Core™ Processor Family
2,3,4. 7th Generation Intel® Core™ Processor Family
06_8EH A Coffee Lake U43e
Kaby Lake Refresh U
8th Generation Intel® Core™ Processor Family
06_8EH B,C 1. Whiskey Lake U
2,3,4. Comet Lake U42
5. Amber Lake Y
1. 8th Generation Intel® Core™ Processors
2. 10th Generation Intel® Core™ Processor Family
3. Intel® Pentium® Gold Processor Series
4. Intel® Celeron® Processor 5000 Series
5. 10th Generation Intel® Core™ Processor Family
06_97H 2, 5 Alder Lake S 12th Generation Intel® Core™ Processor Family
06_9AH 3 1. Alder Lake H
2. Alder Lake P
1. 12th Generation Intel® Core™ Processor Family
2. 12th Generation Intel® Core™ Processor Family
06_9AH 4 Alder Lake U 12th Generation Intel® Core™ Processor Family
Intel® Pentium® Gold Processor Family
Intel® Celeron® Processor Family
06_9EH 9 1. Kaby Lake S
2. Kaby Lake H
3. Kaby Lake G
4. Kaby Lake X
5. Kaby Lake Xeon E3
1. 7th Generation Intel® Core™ Processor Family
2. 7th Generation Intel® Core™ Processor Family
3. 8th Generation Intel® Core™ Processor Family
Intel® Pentium® Processor Family
4. Intel® Core™ X-series Processors
5. Intel® Xeon® E processor family
06_9EH A, B, C, D     1.    Coffee Lake H
2.    Coffee Lake Xeon E
3. Coffee Lake S Xeon E
4. Coffee Lake S x/KBP
5. Coffee Lake S
1. 8th Generation Intel® Core™ Processor Family
2. Intel® Xeon® E processor family
3. Intel® Xeon® E processor family
4. 8th Generation Intel® Core™ Processor Family
5. 8th Generation Intel® Core™ Processor Family
06_A5H 2, 3, 5 1. Comet Lake H
2. Comet Lake-S
1, 2. 10th Generation Intel® Core™ Processor Family
1, 2. Intel® Xeon® W processor family
06_A6H <=1 Comet Lake U62 10th Generation Intel® Core™ Processor Family
Intel® Xeon® W processor family
06_A7H 1 Rocket Lake 11th Generation Intel® Core™ Processor Family
Intel® Xeon® E-2300 processor family
06_A8H 1 Rocket Lake Intel® Xeon® W-1300 Processor Family

 

  • Note that a limited number of future processors which are not on the above list of affected processors, may also exhibit MCDT behavior. They will not enumerate MCDT_NO. 
  • Processors that may exhibit MCDT behavior include those based on microarchitectures code named Skylake server, Cascade Lake, Cooper Lake, Ice Lake server, Skylake, Kaby Lake, Coffee Lake, Whiskey Lake, Comet Lake, Ice Lake client, Lakefield, Tiger Lake, Rocket Lake, and Alder Lake.
  • Processors that do not exhibit MCDT behavior include Intel Atom processors and Intel Core processors based on microarchitectures before Skylake.
"

Processors That Do Not Exhibit MCDT Behavior

Intel Core processors based on microarchitectures before Ice Lake and Intel Atom family processors based on microarchitectures before Gracemont do not exhibit MXCSR Dependent Timing behavior.

Table 4: Processors That Do Not Exhibit MCDT Behavior
Processor Stepping (All unless otherwise noted) Code Name (s) / Microarchitecture(s) Product Family
06_3FH 2 Haswell Server EP, EP4S Intel® Xeon® E processor family
06_3FH 4 Elkhart Lake (Tremont) Intel® Xeon® E processor family
06_4CH   Cherryview (Airmont) Intel® Atom® Processor X Series
06_4FH   Broadwell Server E, EP, EP4S, EX Intel® Xeon® E processor family
06_56H 3 Broadwell DE V2,V3 Intel® Xeon®  D processor family
06_56H 4 Broadwell DE Y0 Intel® Xeon®  D processor family
06_56H 5 Broadwell DE A1, Hewitt Lake (Broadwell DE) Intel® Xeon®  D processor family
06_5AH   Anniedale (Airmont) Intel® Atom® Processors
06_5CH 9 1. Apollo Lake (Goldmont - no SGX)
2. Apollo Lake
3. Apollo Lake
1. Intel® Pentium® Processor J Series
Intel® Pentium® Processor N Series
2. Intel® Celeron® Processor J Series,
Intel® Celeron® Processor N Series
3. Intel® Atom® Processor A Series
06_5CH A Apollo Lake Intel® Atom® Processor E3900 Series
06_5FH 1 Denverton (Goldmont) Intel® Atom® C processor family
06_65H   XMM7272  (Airmont) Intel® Atom® Processors
06_6EH   Cougar Mountain (Airmont)

Intel® Puma™ 7 Family 
Intel® Atom® Processors

06_75H   Butter (Airmont)  Intel® Atom® Processors
06_7AH 1 Gemini Lake

Intel® Pentium® Processor Silver Series
Intel® Celeron® Processor J Series
Intel® Celeron® Processor N Series

06_7AH 8 Gemini Lake

Intel® Celeron® Processor J Series
Intel® Celeron® Processor N Series

06_86H 4 Snowridge (Tremont) Intel® Atom® Processors
06_86H 5 (B step) Snowridge (Tremont) Intel® Xeon® D processor family
06_86H 7 (C step) Snowridge (Tremont) Intel® Xeon® D processor family
06_8AH 1 Lakefield B-step (Tremont) Intel® Core™ Processors with Intel® Hybrid Technology
06_8AH 1 Lakefield B-step (Sunnycove) Intel® Core™ Processors with Intel® Hybrid Technology
06_96H 1 Elkhart Lake (Tremont) Intel® Atom® Processors
06_9CH 0 Jasper Lake (Tremont) Intel® Atom® Processors
 
"