Download raw body.
mitigate AMD Zen-2 op cache corruption
On Wed, May 13, 2026 at 11:25:37AM +1000, Jonathan Gray wrote:
> https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7052.html
>
> "Improper isolation of shared resources within the CPU operation cache
> on Zen 2-based products could allow an attacker to corrupt instructions
> executed at a different privilege level, potentially resulting in
> privilege escalation."
>
> fails to mention the related chicken bit which can be seen in
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c21b90f77687075115d989e53a8ec5e2bb427ab1
>
> tested on Renoir:
> cpu0: AMD Ryzen 5 PRO 4650U with Radeon Graphics, 2100.00 MHz, 17-60-01
I don't have a Zen 2 to test on, but this seems sensible.
Interesting that Linux names this "MSR_ZEN4_BP_CFG" and groups it in
in with bunch of Zen4 stuff, lol.
ok brynet@
> Index: sys/arch/amd64/include/specialreg.h
> ===================================================================
> RCS file: /cvs/src/sys/arch/amd64/include/specialreg.h,v
> diff -u -p -r1.122 specialreg.h
> --- sys/arch/amd64/include/specialreg.h 19 Apr 2026 01:10:28 -0000 1.122
> +++ sys/arch/amd64/include/specialreg.h 13 May 2026 00:37:08 -0000
> @@ -710,6 +710,9 @@
> #define DE_CFG_SERIALIZE_LFENCE (1 << 1) /* Enable serializing lfence */
> #define DE_CFG_SERIALIZE_9 (1 << 9) /* Zenbleed chickenbit */
>
> +#define MSR_BP_CFG 0xc001102e
> +#define BP_CFG_33 (1ULL << 33) /* op cache chickenbit, AMD-SB-7052 */
> +
> #define IPM_C1E_CMP_HLT 0x10000000
> #define IPM_SMI_CMP_HLT 0x08000000
>
> Index: sys/arch/amd64/amd64/cpu.c
> ===================================================================
> RCS file: /cvs/src/sys/arch/amd64/amd64/cpu.c,v
> diff -u -p -r1.205 cpu.c
> --- sys/arch/amd64/amd64/cpu.c 19 Apr 2026 01:10:28 -0000 1.205
> +++ sys/arch/amd64/amd64/cpu.c 13 May 2026 00:43:19 -0000
> @@ -1292,12 +1292,18 @@ cpu_fix_msrs(struct cpu_info *ci)
> if (msr != nmsr)
> wrmsr(MSR_DE_CFG, nmsr);
> }
> + /* Zen 2 mitigations: Zenbleed, op cache corruption */
> if (family == 0x17 && ci->ci_model >= 0x31 &&
> (cpu_ecxfeature & CPUIDECX_HV) == 0) {
> nmsr = msr = rdmsr(MSR_DE_CFG);
> nmsr |= DE_CFG_SERIALIZE_9;
> if (msr != nmsr)
> wrmsr(MSR_DE_CFG, nmsr);
> +
> + nmsr = msr = rdmsr(MSR_BP_CFG);
> + nmsr |= BP_CFG_33;
> + if (msr != nmsr)
> + wrmsr(MSR_BP_CFG, nmsr);
> }
> /*
> * Mitigation for Floating Point Divider State Sampling
> Index: sys/arch/i386/include/specialreg.h
> ===================================================================
> RCS file: /cvs/src/sys/arch/i386/include/specialreg.h,v
> diff -u -p -r1.86 specialreg.h
> --- sys/arch/i386/include/specialreg.h 19 Apr 2026 01:10:28 -0000 1.86
> +++ sys/arch/i386/include/specialreg.h 13 May 2026 00:44:59 -0000
> @@ -535,6 +535,9 @@
> #define DE_CFG_SERIALIZE_LFENCE (1 << 1) /* Enable serializing lfence */
> #define DE_CFG_SERIALIZE_9 (1 << 9) /* Zenbleed chickenbit */
>
> +#define MSR_BP_CFG 0xc001102e
> +#define BP_CFG_33 (1ULL << 33) /* op cache chickenbit, AMD-SB-7052 */
> +
> #define IPM_C1E_CMP_HLT 0x10000000
> #define IPM_SMI_CMP_HLT 0x08000000
>
> Index: sys/arch/i386/i386/machdep.c
> ===================================================================
> RCS file: /cvs/src/sys/arch/i386/i386/machdep.c,v
> diff -u -p -r1.679 machdep.c
> --- sys/arch/i386/i386/machdep.c 19 Apr 2026 01:10:28 -0000 1.679
> +++ sys/arch/i386/i386/machdep.c 13 May 2026 00:46:16 -0000
> @@ -2019,12 +2019,18 @@ identifycpu(struct cpu_info *ci)
> if (msr != nmsr)
> wrmsr(MSR_DE_CFG, nmsr);
> }
> + /* Zen 2 mitigations: Zenbleed, op cache corruption */
> if (ci->ci_family == 0x17 && ci->ci_model >= 0x31 &&
> (cpu_ecxfeature & CPUIDECX_HV) == 0) {
> nmsr = msr = rdmsr(MSR_DE_CFG);
> nmsr |= DE_CFG_SERIALIZE_9;
> if (msr != nmsr)
> wrmsr(MSR_DE_CFG, nmsr);
> +
> + nmsr = msr = rdmsr(MSR_BP_CFG);
> + nmsr |= BP_CFG_33;
> + if (msr != nmsr)
> + wrmsr(MSR_BP_CFG, nmsr);
> }
> /*
> * Mitigation for Floating Point Divider State Sampling
>
>
mitigate AMD Zen-2 op cache corruption