Going back to January of 2023 there were the initial Intel patches for the Linux kernel introducing Linear Address Space Separation (LASS). Two and a half years later, these Intel LASS patches remain in-development with today the sixth iteration of these patches having been posted.
Intel’s Linear Address Space Separation is designed to harden the operating system against various classes of side-channel exploits. LASS support on the CPU side first premiered with Sierra Forest processors and has continued with the Xeon 6 line-up in full. While the processors are shipping now with LASS support, the Linux kernel support remains a work-in-progress with today bringing the v6 patch series.
Intel engineer Kirill Shutemov sent out the updated Linux LASS patches today and explained:
“Linear Address Space Separation (LASS) is a security feature that intends to prevent malicious virtual address space accesses across user/kernel mode.
Such mode based access protection already exists today with paging and features such as SMEP and SMAP. However, to enforce these protections, the processor must traverse the paging structures in memory. Malicious software can use timing information resulting from this traversal to determine details about the paging structures, and these details may also be used to determine the layout of the kernel memory.
The LASS mechanism provides the same mode-based protections as paging but without traversing the paging structures. Because the protections enforced by LASS are applied before paging, software will not be able to derive paging-based timing information from the various caching structures such as the TLBs, mid-level caches, page walker, data caches, etc. LASS can avoid probing using double page faults, TLB flush and reload, and SW prefetch instructions.”
The LASS v6 patches bring improvements around LASS violation reporting, more helpful error messages, and other adjustments. We’ll see if this iteration of the patches is good enough for upstreaming in an upcoming kernel cycle but for now those interested can find the updated patches on the kernel mailing list.
