Email or username:

Password:

Forgot your password?
All posts Hector's posts Post Back to profile
Hector Martin

Found the DMP disable chicken bit. it's HID11_EL1<30> (at least on M2).

So yeah, as I predicted, GoFetch is entirely patchable. I'll write up a patch for Linux to hook it up as a CPU security bug workaround.

(HID4_EL1<4> also works, but we have a name for that and it looks like a big hammer: HID4_FORCE_CPU_OLDEST_IN_ORDER)

Code here: github.com/AsahiLinux/m1n1/blo (Thanks to @dkohlbre for the userspace C version this is based off of!)

One interesting finding is that the DMP is already disabled in EL2 (and presumably EL1), it only works in EL0. So it looks like the CPU designers already had some idea that it is a security liability, and chose to hard-disable it in kernel mode. This means kernel-mode crypto on Linux is already intrinsically safe.

9 April at 0:17 | Open on social.treehouse.systems
16 comments
Krutonium

@marcan @dkohlbre Random Curiosity, why is it called a Chicken bit?

9 April at 0:58 | Open on social.treehouse.systems
Graham Sutherland / Polynomial

@krutonium @marcan @dkohlbre it lets you "chicken out" of certain circuits when you're designing an ASIC, so if something misbehaves it doesn't wreck the whole chip and require an extremely expensive respin.

9 April at 1:26 | Open on chaos.social
slab

@gsuberland @krutonium @marcan @dkohlbre That's not the only name for the concept; my previous employer used "CYA bits" for things like that.

9 April at 1:50 | Open on unstable.systems
Hector Martin

@slab @gsuberland @krutonium @dkohlbre Apple themselves call them "tunables" it seems (though that's a more general term used for hardware config type stuff) and HID itself is a term from the PowerPC era (Hardware Implementation Dependent)

But we call them chicken bits because it's more fun.

9 April at 3:00 | Open on social.treehouse.systems
Krutonium

@marcan @slab @gsuberland @dkohlbre I can appreciate that, chicken is definitely more fun.

Now with that said, why am I not getting *any* notifications all of a sudden...

9 April at 3:50 | Open on social.treehouse.systems
Orca🌻 | 🏴🏳️‍⚧️

@krutonium@social.treehouse.systems @marcan@social.treehouse.systems @dkohlbre@infosec.exchange
Wiktionary says it's derived from chicken as in "chicken out" (to shy away from a task), which makes sense to me. 🤔
https://en.wiktionary.org/wiki/chicken_bit

9 April at 2:16 | Open on nya.one
David Kohlbrenner

@marcan Fantastic. We'll make sure the gofetch page gets updated and points here.
We will also need to test on the M1 since thats where the majority of our RE work is solid and we've tested. (Our original discussions with Apple only covered the M1, so I'm very curious if there is a difference)

Also interesting that you see it disabled in kernel mode. That would confirm my suspicions about why they don't set DIT in anything but EL0 in CoreCrypto (github.com/apple-oss-distribut and so on).

(And credit for the userspace PoCs belongs to the phd students actually doing all the work!)

@marcan Fantastic. We'll make sure the gofetch page gets updated and points here.
We will also need to test on the M1 since thats where the majority of our RE work is solid and we've tested. (Our original discussions with Apple only covered the M1, so I'm very curious if there is a difference)

Also interesting that you see it disabled in kernel mode. That would confirm my suspicions about why they don't set DIT in anything but EL0 in CoreCrypto (github.com/apple-oss-distribut

9 April at 1:11 | Open on infosec.exchange
David Kohlbrenner

@marcan If anyone has the infrastructure, I'm curious if this reaches back to the A14. (We know the A14 has the DMP from the prefetchers.info project, but I don't have the testing infrastructure to check for chicken bits on it!)

9 April at 2:40 | Open on infosec.exchange
Pratham Patel :ferrisdance:

@marcan @dkohlbre @jonmasters thought you might find this interesting :)

9 April at 1:18 | Open on fosstodon.org
Christian Horn

@marcan I hope it gets implemented so mitigations=off can disable it, this will allow performance/energy consumption comparisons.

9 April at 1:36 | Open on chaos.social
meta

@marcan @dkohlbre i wouldve thought that poking all the HID bits is a good way to make a brick!

9 April at 2:25 | Open on social.treehouse.systems
Hector Martin

@eigenform @dkohlbre These are all volatile, you'd be hard pressed to find a register that actually causes physical damage.

In fact none of the HID bits even crashed the CPU! (Though I'm running very limited test code on the target CPU here, I'm sure some bits broke all kinds of things in interesting ways, just nothing that affected me)

9 April at 2:54 | Open on social.treehouse.systems
Glyph

@marcan @dkohlbre @filippo does this reach back to M1 as well? I know M3 already had something even when gofetch first announced

9 April at 2:38 | Open on mastodon.social
Hector Martin

@glyph @dkohlbre @filippo It should, I just don't have an M1 box with me to test right now.

M3 is not bugged, it correctly honors the DIT bit to disable the DMP (which is the architecturally correct behavior).

9 April at 2:53 | Open on social.treehouse.systems
Glyph

@marcan @dkohlbre @filippo thank you! Looking forward to someone confirming, but your intuition counts for quite a lot :-). Glad to hear it’s patchable and gosh I hope some of the publications that ran “unpatchable” headlines issue corrections.

9 April at 3:02 | Open on mastodon.social
Go Up