Linux 6.18 Lands Intel FRED Update For Late Incompatible Change To Spec
([Intel] 2 Hours Ago
Intel FRED + Linux 6.18)
- Reference: 0001582697
- News link: https://www.phoronix.com/news/Linux-6.18-Intel-FRED
- Source link:
While [1]Intel FRED was merged back in Linux 6.9 in advance of Intel processors shipping with this [2]Flexible Return Event Delivery functionality, there ended up being [3]a late, incompatible change to the specification as a result of security research into it. For Linux 6.18 those FRED changes have been merged,
Updating to the latest Intel FRED specification handling will prevent early pre-production Intel hardware from booting Linux 6.18+ unless either FRED or CET kernel support is disabled. Arizona State University researchers uncovered an issue in advance of Intel CPUs shipping with FRED that led Intel to removing the need for ENDBR64 instructions from FRED entry points to prevent attackers from abusing kernel entry points.
"A pair of x86/entry updates.
The FRED one adjusts the kernel to the latest spec. The spec change prevents attackers from abusing kernel entry points.
The second one came about because of the LASS work. It moves the vsyscall emulation code away from depending on X86_PF_INSTR which is not available on some CPUs. Those CPUs are pretty obscure these days, but this still seems like the right thing to do. It also makes this code consistent with some things that the LASS code is going to do."
The FRED update was merged today to Linux 6.18 GIt as part of the [4]x86 entry updates along with another patch for not requiring X86_PF_INSTR to emulate vsyscall, which came up during Linear Address Space Separation research.
[1] https://www.phoronix.com/news/Intel-FRED-Merged-Linux-6.9
[2] https://www.phoronix.com/search/Flexible+Return+Event+Delivery
[3] https://www.phoronix.com/news/Intel-FRED-Incompatible-ENDBR64
[4] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7c738cb4ca678e70c4583ab35587f30bfae823e5
Updating to the latest Intel FRED specification handling will prevent early pre-production Intel hardware from booting Linux 6.18+ unless either FRED or CET kernel support is disabled. Arizona State University researchers uncovered an issue in advance of Intel CPUs shipping with FRED that led Intel to removing the need for ENDBR64 instructions from FRED entry points to prevent attackers from abusing kernel entry points.
"A pair of x86/entry updates.
The FRED one adjusts the kernel to the latest spec. The spec change prevents attackers from abusing kernel entry points.
The second one came about because of the LASS work. It moves the vsyscall emulation code away from depending on X86_PF_INSTR which is not available on some CPUs. Those CPUs are pretty obscure these days, but this still seems like the right thing to do. It also makes this code consistent with some things that the LASS code is going to do."
The FRED update was merged today to Linux 6.18 GIt as part of the [4]x86 entry updates along with another patch for not requiring X86_PF_INSTR to emulate vsyscall, which came up during Linear Address Space Separation research.
[1] https://www.phoronix.com/news/Intel-FRED-Merged-Linux-6.9
[2] https://www.phoronix.com/search/Flexible+Return+Event+Delivery
[3] https://www.phoronix.com/news/Intel-FRED-Incompatible-ENDBR64
[4] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7c738cb4ca678e70c4583ab35587f30bfae823e5