An Update On the AMD Zen 2 CPU Vulnerability

Earlier this week, a Google information security team revealed a new flaw in AMD's Zen 2 processors referred to as “Zenbleed” that impacts AMD’s entire Zen 2 product stack. After immediate investigation, the Equinix Metal Engineering team identified a number of Equinix Metal customers and servers that were impacted, as well as the options for mitigating the bug.

AMD has issued updated microcode that fixes the Zenbleed vulnerability. We are working with our hardware vendors to obtain the firmware updates that will apply the fix on impacted Equinix Metal machines as soon as those updates are ready. Additionally, we are working with our OS partners to ship updated OS images that include the updated kernels and/or the updated microcode. 

There are workarounds customers can implement. A customer can boot an affected system into an OS that fixes the bug. Equinix Metal customers use a wide variety of operating systems, some of which have already incorporated the following fixes, while others have not. The most recent Linux kernel versions, released on July 24, have automated support for testing whether the vulnerable microcode is installed. If it is, the OS will install the microcode that fixes the issue, and if the microcode is not available it will set the “chicken bit” to disable the vulnerable feature. 

The chicken bit workaround is generally applicable in case a particular operating system does not have an update with the new microcode. A chicken bit is a software feature flag that controls hardware behavior. When it is set, certain features in the hardware are disabled. The chicken bit for the exploitable feature in the AMD chips can be disabled and re-enabled by the Linux utilities "rdmsr" and "wrmsr" that read and write a “machine-specific register.” Install the “msr-tools” package, then follow the instructions in this blog post (authored by Tavis Ormandy, the Google security analyst who discovered the vulnerability) to set the chicken bit for this operation. When you are done, the bug will go away, but there is no guarantee that this setting will persist between reboots, so you’ll want to add it to your boot-time automation. 

If you have any questions about this vulnerability or need assistance with the potential mitigation steps you can take, our support team is here for you 24/7. Send an email to support@equinixmetal.com or chat with support live. 

We will update this blog post as important developments occur.