OpenBSD Journal

Theo de Raadt on Zenbleed

Contributed by Cabal on from the syspatch Zen dept.

The buzzword bug of the week is Zenbleed, which affects various AMD processors and is explained in more detail here.

On OpenBSD, the latest -current snapshots already have the fixes, and errata patches will go out for the supported releases (7.2 and 7.3) shortly.

In a post to the tech@ list, Theo de Raadt described the situation:

List:       openbsd-tech
Subject:    Zenbleed
From:       "Theo de Raadt" <deraadt () openbsd ! org>
Date:       2023-07-24 16:11:45

Zenbleed errata for 7.2 and 7.3 will come out soon.

sysupgrade of the -current snapshot already contains a fix.

I wanted to share some notes on impact:

OpenBSD does not use the AVX instructions to the same extent that Linux
and Microsoft do, so this is not as important.

On Linux, glibc has AVX-based optimizations for simple functions (string
and memory copies) which will store secrets into the register file which
can be extracted trivially, so the impact on glibc-based systems is
HUGE.

While working on our fixes, I ran the test programs for quite a while
and I never saw anything resembling a 'text' string.  However when I ran
a browser I saw streams of what was probably graphics-related fragments
flowing past.  The base system clearly uses AVX very rarely by itself.

In summary: in OpenBSD, this isn't a big deal today.  However, attacks
built upon primitives always get better over time, so I urge everyone to
install these workarounds as soon as our errata ship.

--

ps. If you use syspatch for these new errata, you must install the
bootblocks yourself!  syspatch cannot install them for you.  So you must
run this yourself, before the last reboot:

       installboot -v sd0
or
       installboot -v wd0

Our cpu firmware update mechanism uses the bootblocks to load the firmware
from disk and provides it to the kernel, so if you don't have new bootblocks
you won't be protected.

You read this right: upgrade to the latest snapshot if you are on the -current track, otherwise watch out for the announcement and run syspatch as soon as the patches are released.

And do remember to include the installboot step to get the patched bootblocks.

(Comments are closed)


Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]