Security vulnerabilities in the context switch #114
Description
Hello,
We have been analyzing several systems, especially the context switch implementations, to check if any security-sensitive architectural state is not swapped appropriately:
Security vulnerability:
The existing configuration allows user access to performance monitoring counters such as cycle, time, and instret by default.
While the linux perf tool uses the same counters, its implementation ensures correct measurements that are not influenced by other processes running in the system and so measurements reported by perf do not leak any sensitive information and cannot cause side-channel or timing-channel attacks.
However, allowing default access to these fine-grained counters to unprivileged user processes can lead to using these counters to mount side-channel or timing-channel attacks and leak secrets of user processes.
This can be fixed by either resetting these architectural state while context switching across processes or also disabling the access to such counters by default (there is the scounteren CSR which can be used to disable access to these counters).
Best Regards.