Linux Kernel x86 APIC Mode Handling Vulnerability

A vulnerability in the Linux kernel's handling of the x86 Advanced Programmable Interrupt Controller (APIC) modes has been addressed. The issue arises from the introduction of a feature that allows the BIOS to lock the APIC in Extended APIC (x2APIC) mode. While x2APIC is generally compatible with legacy APIC, it disables the memory-mapped APIC interface, which has been exploited to leak data from the Software Guard Extensions (SGX) enclave. If the APIC is locked in x2APIC mode and the kernel attempts to revert to legacy mode, a general protection fault occurs. The vulnerability affects Linux kernel versions that include this new APIC locking feature, particularly on Intel systems from 2022 onwards that have SGX or Trusted Domain Extensions (TDX) enabled in the BIOS.

Impact

The vulnerability could lead to a system boot failure on platforms with the IA32_XAPIC_DISABLE_STATUS MSR, where the BIOS has set the LEGACY_XAPIC_DISABLED bit, preventing the kernel from disabling x2APIC when legacy mode is required.

Reproduction

To reproduce this issue, enable SGX or TDX in the BIOS on an affected Intel system, which will set the LEGACY_XAPIC_DISABLED bit. Then, attempt to boot a Linux kernel version that includes the APIC locking feature. The system will fail to boot due to the kernel's inability to disable x2APIC, creating a lock mismatch that triggers a general protection fault.

Remediation

Users can disable SGX and TDX in the BIOS to allow the system to boot with legacy APIC mode. Additionally, the Linux kernel can be configured to handle the locked x2APIC mode by using the IA32_XAPIC_DISABLE_STATUS MSR, preventing the kernel from trying to disable x2APIC when it's not possible.