From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: Gregory Price <gourry@gourry.net>
Cc: x86@kernel.org, linux-kernel@vger.kernel.org, tglx@linutronix.de,
mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com,
hpa@zytor.com, peterz@infradead.org, mario.limonciello@amd.com,
riel@surriel.com, yazen.ghannam@amd.com, me@mixaill.net,
kai.huang@intel.com, sandipan.das@amd.com, darwi@linutronix.de,
stable@kernel.org, linux-crypto@vger.kernel.org, tytso@mit.edu
Subject: Re: [PATCH] x86/amd: Disable RDSEED on AMD Zen5 Turin because of an error.
Date: Sat, 18 Oct 2025 00:10:34 +0200 [thread overview]
Message-ID: <aPK-2iYHnt8DYFAF@zx2c4.com> (raw)
In-Reply-To: <20251016182107.3496116-1-gourry@gourry.net>
On Thu, Oct 16, 2025 at 02:21:07PM -0400, Gregory Price wrote:
> Under unknown architectural conditions, Zen5 chips running rdseed
> can produce (val=0,CF=1) as a "random" result over 10% of the time
> (when rdseed is successful). CF=1 indicates success, while val=0
> is typically only produced when rdseed fails (CF=0).
>
> This suggests there is an architectural issue which causes rdseed
> to misclassify a failure as a success under unknown conditions.
>
> This was reproduced reliably by launching 2-threads per available
> core, 1-thread per for hamming on RDSEED, and 1-thread per core
> collectively eating and hammering on ~90% of memory.
>
> Fix was modeled after a different RDSEED issue in Zen2 Cyan Skillfish.
Yikes. I suppose we should get some more info from AMD, so that they can
really figure out what's affected and why and such. In the meanwhile,
maybe it makes sense to disable a broad set of Zen 5 subfamilies? From a
random.c perspective, it'll use RDRAND instead, which appears to be
unaffected according to your report.
(Though, how could you tell if it was affected? RDRAND runs everything
through its internal DRBG, so if part of the key that it uses is made of
fixed zeros, we probably wouldn't notice. AMD really needs to look into
this.)
Impact-wise on random.c, assuming the most pessimistic conditions -- no
other entropy source being used other than RDSEED, which is never
actually the case but good for analysis here -- the first usage of
getrandom() will use 512 bits (random_init_early()) + 256 bits
(extract_entropy()) = 768 bits of RDSEED output, so assuming your 10%
failure rate, that's still 688 bits, which is roughly 2.69x as much as
we really "need" anyway. So I suspect overkill engineering is saving us
a bit here, and there's not any security impact to random.c.
Users who don't use getrandom() and try to use RDSEED directly might be
in a different situation, however. Don't do this. Just use getrandom().
Jason
prev parent reply other threads:[~2025-10-17 22:10 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-16 18:21 [PATCH] x86/amd: Disable RDSEED on AMD Zen5 Turin because of an error Gregory Price
2025-10-16 19:12 ` Gregory Price
2025-10-16 19:39 ` H. Peter Anvin
2025-10-17 11:48 ` Borislav Petkov
2025-10-17 22:10 ` Jason A. Donenfeld [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aPK-2iYHnt8DYFAF@zx2c4.com \
--to=jason@zx2c4.com \
--cc=bp@alien8.de \
--cc=darwi@linutronix.de \
--cc=dave.hansen@linux.intel.com \
--cc=gourry@gourry.net \
--cc=hpa@zytor.com \
--cc=kai.huang@intel.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mario.limonciello@amd.com \
--cc=me@mixaill.net \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=riel@surriel.com \
--cc=sandipan.das@amd.com \
--cc=stable@kernel.org \
--cc=tglx@linutronix.de \
--cc=tytso@mit.edu \
--cc=x86@kernel.org \
--cc=yazen.ghannam@amd.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox