A new attack on Intel’s CPUs, called Plundervolt, may have an unforeseen consequence. The mitigation that fixes it appears to lock the CPU voltage to default settings, possibly preventing users from undervolting or overclocking them.
On Wednesday, however, Intel representatives said that it’s unlikely that SGX use and overclocking will overlap, meaning that the risk to consumers is probably low.
According to the researchers who authored the paper in question, every mobile and desktop Intel Core processor since the sixth-generation “Skylake” onward that supports Intel’s Software Guard Extensions (SGX) is vulnerable to the software attack, which injects faults into the processor package by very briefly decreasing the processor voltage. Injecting these faults can introduce errors into otherwise secure code, or reproduce cryptographic keys by what the researchers call negligible computational efforts.
The researchers said that they believe that the attacks can be mounted by a remote attacker, and not just one with local access.
As most researchers do, the team—made up of researchers at the University of Birmingham, the Graz University of Technology, and imec-DistriNet—reported the vulnerability to Intel, which issued an advisory and also said that it had released firmware updates to motherboard manufacturers. A related blog post by Intel said that the company was unaware of any issues in the wild.
Most users won’t be affected by Plundervolt itself, because it first requires an attack against the system. If SGX has not been enabled or if CPU voltage is locked at the default values, the system is also not vulnerable to this attack method, an Intel spokeswoman added in a follow-up email in response to a PCWorld question.
The mitigation Intel is issuing, however, appears to lock your PC’s voltage settings, preventing you from adjusting them. “Intel has worked with system vendors to develop a microcode update that mitigates the issue by locking voltage to the default settings,” a related Intel blog post says.
“A BIOS update will lock the voltage to default settings that mitigate this vulnerability without need for users to enable anything and is typically provided by system manufacturers,” the Intel spokeswoman added, via email. “We recommend checking with your system manufacturer to better understand voltage settings.”
The medicine may be worse than the disease. It sounds like the Plundervolt mitigation could effectively remove the option to “undervolt” laptops, a technique that some enthusiasts use to extend the battery life and longevity of laptops. By using Intel’s eXtreme Tuning Utility, undervolters dial down the operating voltage of their PC by tiny increments until they can find a voltage level at which their PC can run under load. By shaving off a few hundredths or thousandths of a volt, the battery life can be extended proportionally. A PC’s CPU voltage can also be adjusted via overclocking on desktop PCs, though the focus there is primarily on the CPU’s clock speed, rather than the core voltage itself.
In either case, several questions remain, including which boards and laptops will apply the mitigation, and whether users will have an option to install them. It’s also not clear whether the mitigation that Intel is sending motherboard makers will in fact ever allow further CPU voltage modifications via software, or whether that capability is being disabled permanently.
According to the Plundervolt researchers, “if you do not use SGX, you do not need to do anything,” they wrote. “If you do use SGX: Intel has released a microcode update that—together with a BIOS update—allows disabling of the undervolting interface.”
Does your motherboard support SGX? It’s likely most recent boards do, though it’s not clear whether the feature is on by default. Here’s a list of SGX boards and platforms compiled over at GitHub. MSI’s customer support site claims that the company supports the feature, too. As we learn new information, we’ll update this post.
Update 12/11: According to updated information provided by Intel, Intel is “working with system manufacturers to provide a balance between performance and security for platforms that support overclocking of unlocked processors,” an Intel representative said in an email. On processors—such as Intel’s K-series chips—the preference may be set to allow voltages to be modified.
“We expect limited overlap between use cases where Intel SGX and overclocking are both relevant,” the representative added, however, probably meaning that there’s little chance that the average PC user will be affected. In the case that the mitigation is applied, however, Intel’s XTU tuning utility will not allow voltage changes from the default.
Story updated at 3:47PM PT on Dec. 11 with additional comment from Intel.