From: Bryan Steele Subject: Re: mitigate AMD Zen-2 op cache corruption To: tech@openbsd.org Date: Wed, 13 May 2026 05:46:13 -0400 On Wed, May 13, 2026 at 11:25:37AM +1000, Jonathan Gray wrote: > https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7052.html > > "Improper isolation of shared resources within the CPU operation cache > on Zen 2-based products could allow an attacker to corrupt instructions > executed at a different privilege level, potentially resulting in > privilege escalation." > > fails to mention the related chicken bit which can be seen in > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c21b90f77687075115d989e53a8ec5e2bb427ab1 > > tested on Renoir: > cpu0: AMD Ryzen 5 PRO 4650U with Radeon Graphics, 2100.00 MHz, 17-60-01 I don't have a Zen 2 to test on, but this seems sensible. Interesting that Linux names this "MSR_ZEN4_BP_CFG" and groups it in in with bunch of Zen4 stuff, lol. ok brynet@ > Index: sys/arch/amd64/include/specialreg.h > =================================================================== > RCS file: /cvs/src/sys/arch/amd64/include/specialreg.h,v > diff -u -p -r1.122 specialreg.h > --- sys/arch/amd64/include/specialreg.h 19 Apr 2026 01:10:28 -0000 1.122 > +++ sys/arch/amd64/include/specialreg.h 13 May 2026 00:37:08 -0000 > @@ -710,6 +710,9 @@ > #define DE_CFG_SERIALIZE_LFENCE (1 << 1) /* Enable serializing lfence */ > #define DE_CFG_SERIALIZE_9 (1 << 9) /* Zenbleed chickenbit */ > > +#define MSR_BP_CFG 0xc001102e > +#define BP_CFG_33 (1ULL << 33) /* op cache chickenbit, AMD-SB-7052 */ > + > #define IPM_C1E_CMP_HLT 0x10000000 > #define IPM_SMI_CMP_HLT 0x08000000 > > Index: sys/arch/amd64/amd64/cpu.c > =================================================================== > RCS file: /cvs/src/sys/arch/amd64/amd64/cpu.c,v > diff -u -p -r1.205 cpu.c > --- sys/arch/amd64/amd64/cpu.c 19 Apr 2026 01:10:28 -0000 1.205 > +++ sys/arch/amd64/amd64/cpu.c 13 May 2026 00:43:19 -0000 > @@ -1292,12 +1292,18 @@ cpu_fix_msrs(struct cpu_info *ci) > if (msr != nmsr) > wrmsr(MSR_DE_CFG, nmsr); > } > + /* Zen 2 mitigations: Zenbleed, op cache corruption */ > if (family == 0x17 && ci->ci_model >= 0x31 && > (cpu_ecxfeature & CPUIDECX_HV) == 0) { > nmsr = msr = rdmsr(MSR_DE_CFG); > nmsr |= DE_CFG_SERIALIZE_9; > if (msr != nmsr) > wrmsr(MSR_DE_CFG, nmsr); > + > + nmsr = msr = rdmsr(MSR_BP_CFG); > + nmsr |= BP_CFG_33; > + if (msr != nmsr) > + wrmsr(MSR_BP_CFG, nmsr); > } > /* > * Mitigation for Floating Point Divider State Sampling > Index: sys/arch/i386/include/specialreg.h > =================================================================== > RCS file: /cvs/src/sys/arch/i386/include/specialreg.h,v > diff -u -p -r1.86 specialreg.h > --- sys/arch/i386/include/specialreg.h 19 Apr 2026 01:10:28 -0000 1.86 > +++ sys/arch/i386/include/specialreg.h 13 May 2026 00:44:59 -0000 > @@ -535,6 +535,9 @@ > #define DE_CFG_SERIALIZE_LFENCE (1 << 1) /* Enable serializing lfence */ > #define DE_CFG_SERIALIZE_9 (1 << 9) /* Zenbleed chickenbit */ > > +#define MSR_BP_CFG 0xc001102e > +#define BP_CFG_33 (1ULL << 33) /* op cache chickenbit, AMD-SB-7052 */ > + > #define IPM_C1E_CMP_HLT 0x10000000 > #define IPM_SMI_CMP_HLT 0x08000000 > > Index: sys/arch/i386/i386/machdep.c > =================================================================== > RCS file: /cvs/src/sys/arch/i386/i386/machdep.c,v > diff -u -p -r1.679 machdep.c > --- sys/arch/i386/i386/machdep.c 19 Apr 2026 01:10:28 -0000 1.679 > +++ sys/arch/i386/i386/machdep.c 13 May 2026 00:46:16 -0000 > @@ -2019,12 +2019,18 @@ identifycpu(struct cpu_info *ci) > if (msr != nmsr) > wrmsr(MSR_DE_CFG, nmsr); > } > + /* Zen 2 mitigations: Zenbleed, op cache corruption */ > if (ci->ci_family == 0x17 && ci->ci_model >= 0x31 && > (cpu_ecxfeature & CPUIDECX_HV) == 0) { > nmsr = msr = rdmsr(MSR_DE_CFG); > nmsr |= DE_CFG_SERIALIZE_9; > if (msr != nmsr) > wrmsr(MSR_DE_CFG, nmsr); > + > + nmsr = msr = rdmsr(MSR_BP_CFG); > + nmsr |= BP_CFG_33; > + if (msr != nmsr) > + wrmsr(MSR_BP_CFG, nmsr); > } > /* > * Mitigation for Floating Point Divider State Sampling > >