We have not had a new CPU vulnerability for a little while — a situation that was clearly too good to last. The mainline kernel has just merged mitigations for the "special register buffer data sampling" vulnerability which, in short, allows an attacker to spy on the random numbers obtained by others. In particular, the results of the
RDRANDinstruction can be obtained via a speculative attack.
The mitigation involves more flushing and the serialization of RDRAND. That means a RDRAND instruction will take longer to run, but it also means that RDRAND requires locking across the system, which will slow things considerably if it is executed frequently. There are ways to turn the mitigations off, of course. See this new kernel document for more information.
These fixes are currently queued to be part of the
5.7.2,
5.6.18,
5.4.46,
4.19.128,
4.14.184
4.9.227,
4.4.227, and
3.16.85
stable updates.