For some newer Arm core designs, Arm is changing the Linux kernel to defaulting to enabling Kernel Page Table Isolation “KPTI” if not running on a new firmware version in order to properly mitigate a recently disclosed CPU security issue. This change has been queued up and is expected to change the default with the upcoming Linux 6.15 kernel.
Many still have nightmares around Page Table Isolation mitigation costs from the Meltdown period… Unfortunately, it’s turned out to be needed for some newer Arm core designs if not having a new firmware in place with an alternative mitigation strategy.
Back in January, Arm made public CVE-2024-7881. They described of CVE-2024-7881 in their disclosure:
“An issue has been identified in some Arm-based CPUs that may allow an unprivileged context to trigger a data memory-dependent prefetch engine to fetch the contents of a privileged location (for which it does not have read permission) and consume those contents as an address that is also dereferenced.
…
Arm recommends that its partners disable the affected prefetcher by setting CPUACTLR6_EL1[41] as soon as possible. Updates to Trusted Firmware-A are available which implement this.Enabling KPTI will help protect against this issue on systems which have not yet received firmware patches. To facilitate this, Arm has updated the SMC Calling Convention spec so that privileged normal world software can identify when the issue has been mitigated in firmware (SMCCC_ARCH_WORKAROUND_4).”
What the Linux kernel is getting ready to go in the upcoming Linux 6.15 cycle is applying Kernel Page Table Isolation by default on affected CPU models if not having that new firmware loaded.
Affected Arm CPUs include the Cortex X3, Cortex X4, Cortex X925, Neoverse V2, and Neoverse V3.
This patch from Arm has been queued into the ARM64 “for-next/core” Git branch ahead of the Linux 6.15 merge window.
“On some CPUs from Arm Ltd, it is possible for unprivileged code to cause a hardware prefetcher to form an address using the contents of a memory location which is accessible by privileged accesses in the active translation regime, potentially leaking the contents of this memory location via a side channel.
…
On systems which have not yet received a firmware update, enabling KPTI will help to mitigate the issue. This patch enables KPTI on affected parts where the lack of SMCCC_ARCH_WORKAROUND_4 indicates the absence of the firmware workaround. This will implicitly disable SPE and/or TRBE if either of these are present.”
So the KPTI performance nightmare is unfortunately coming back to newer Arm CPUs if not having updated firmware available on affected models.
