AMD published a security whitepaper looking at the potential security implications of Predictive Store Forwarding (PSF) feature that is new to Zen 3 series processors. Because of the possible incorrect CPU speculation of PSF, AMD recommends leaving the Predictive Store Forwarding feature enabled as the default setting.
Incorrect PSF predictions
AMD Zen 3 processors feature a new technology called Predictive Store Forwarding (PSF). PSF is a hardware-based micro-architectural optimization designed to improve the performance of code execution by predicting dependencies between loads and stores.
“Like technologies such as branch prediction, with PSF the processor “guesses” what the result of a load is likely to be, and speculatively executes subsequent instructions. If the processor incorrectly speculated on the result of the load, it is designed to detect this and flush the incorrect results from the CPU pipeline” says AMD’s security whitepaper.
What is Predictive Store Forwarding?
PSF expands on this by speculating on the relationship between loads and stores without waiting for the address calculation to complete. With PSF, the CPU learns over time the relationship between loads and stores. Incorrect PSF predictions can occur if the address of either the store or load changes during the execution of the program. The second cause of Incorrect PSF is an alias in the PSF predictor structure.
When CPUs speculate on non-architectural paths it can lead to the potential of side-channel attacks, according to previous research of AMD. “If an attacker is able to run code within a target application, they may be able to influence speculation on other loads within the same application by purposely training the PSF predictor with malicious information,” says AMD’s security whitepaper.
AMD has recently proposed Linux patches that enable control of the PSFD bit in MSR 48h. These patches implement the following behavior:
|Kernel Command Line Parameter||Behavior|
|mitigations||If ‘off’, PSFD is set to 0. If ‘auto’, PSFD is also set to 0 (same as SSBD)|
|nopsfd||Sets PSFD to 0|
|psfd||If ‘on’ PSFD is set to 1. If ‘off’ PSFD is set to 0
See more Cyber Security News