SUSE Support

Here When You Need Us

Security Vulnerability: Branch History Injection aka Inspectre Gadget aka CVE-2024-2201

This document (000021421) is provided subject to the disclaimer at the end of this document.

Environment

For a comprehensive list of affected products please review the SUSE CVE announcement .

Situation

Security researchers from VU Amsterdam have identified a new class of transient execution attacks that can lead information out of privileged OS parts, like the Linux kernel. The attack is a variant of and improvement to the Spectre V2 attack.

The mitigation for the Linux kernel happens at the user / kernel boundary and it can use either hardware or software mitigations.

Note that software mitigations will reduce performance depending on how many systemcalls are done by userland.

Resolution

SUSE will provide kernel updates to mitigate this issue, also some CPU Microcode updates are required for the hardware mitigation. Please refer to the Intel documentation to get exact levels, SUSE will provide the latest Intel CPU Microcode releases when they become available.

The kernel mitigation can be configured with a kernel commandline option.

* spectre_bhi=off

    Unconditionally disable the mitigation.

* spectre_bhi=on

    Unconditionally enable the mitigation.

    If there is no hardware mitigation, the software mitigation will be enabled.

* spectre_bhi=auto

    Enable the mitigation when the CPU supports the hardware mitigation
    and if not, enable the software implementation for use in KVM hosts.

This option is also set from the "mitigations" global option.


Reporting

The mitigation status for BHI will be reported in the

    /sys/devices/system/cpu/vulnerabilities/spectre_v2

sysfs file same as other Spectre V2 mitigations appended at the end of the current string
with comman (",") as delimiter.

Following entries are possible:

 * BHI: Not affected
   System is not affected by BHI.

 * BHI: IBRS
   System is protected by the IBRS hardware mitigation.

 * BHI: Retpoline
   System is protected by the retpoline mitigation.

 * BHI: BHI_DIS_S
   System is protected by the BHI_DIS_S mitigation.

 * BHI: SW loop
   System is protected by the software clearing sequence.

 * BHI: Vulnerable
   System is vulnerable to BHI attacks

   Note that also if there is no reference of BHI in the sysfs variable, it means the system is vulnerable.

 * BHI: Vulnerable; KVM: SW loop
   System is vulnerable to BHI attacks from userspace; KVM is protected by software clearing sequence
 

Status

Security Alert

Additional Information

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000021421
  • Creation Date: 10-Apr-2024
  • Modified Date:10-Apr-2024
    • SUSE Linux Enterprise Server
    • SUSE Linux Enterprise Server for SAP Applications
    • SUSE Manager Server
    • SUSE Linux Enterprise Micro

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.