Why Linus Torvalds Slammed Intel's Snoop Patch: Performance vs Security

Background

A new micro‑architectural attack named Snoop (CVE‑2020‑0550) was disclosed in 2020. The vulnerability was reported by AWS engineer Pawel Wieczorkiewicz and affects Intel Xeon and Core processors.

Technical Details of Snoop

Snoop exploits the interaction between the L1 data cache (L1D) and the processor’s bus‑snooping mechanism. When data in L1D is modified, the CPU updates other caches via a bus‑snooping transaction. An attacker who can precisely time a cache‑flush operation to coincide with a victim’s use of a specific memory location can cause the updated data to be leaked from the CPU’s internal buffers.

The attack requires two strict conditions:

The attacker must synchronize the cache‑flush instruction with the exact moment the victim program accesses the target data.

The victim must be accessing the precise data the attacker wishes to exfiltrate.

Intel argues that these timing constraints make the attack impractical in trusted operating‑system environments because the window of opportunity is extremely short and the amount of data resident in L1D at any moment is very limited.

Intel’s Mitigation Patch

Intel’s proposed kernel patch exports a cache‑flush instruction (e.g., clflush) to user space and forces the kernel to invoke it on every context switch. This effectively serializes cache flushing across all processes, slowing down not only the targeted application but also unrelated workloads.

Linus Torvalds described the change as “exporting a cache‑flush instruction to user space, giving a way for a process to slow down everyone else.”

Linus Torvalds’ Response

After reviewing the patch, Linus Torvalds removed it from the mainline kernel, stating that the performance regression would affect all Linux users regardless of CPU vendor or whether the hardware is vulnerable. He emphasized that the mitigation would degrade performance on both Intel and AMD CPUs, especially on virtual CPUs that enable simultaneous multithreading (SMT) in cloud environments such as AWS.

“In my view this is essentially exporting a cache‑flush instruction to user space and giving a way for a process to slow down everyone else, even on CPUs that are not vulnerable.”

Performance Impact

The patch is considered an “always‑on‑everything” (AOE) mitigation. Benchmarks reported by the community show a noticeable slowdown in latency‑sensitive workloads and a reduction in overall throughput, even on CPUs that are not affected by the Snoop vulnerability. The impact is amplified on systems with SMT because flushing L1D for one logical thread interferes with the sibling thread’s cache state.

Assessment of Exploit Feasibility

Intel classifies the vulnerability as medium severity, noting that the limited size of L1D and the need for precise timing reduce the amount of data that can be exfiltrated. The company’s security advisory states that a successful attack would only leak a small amount of data during a brief execution window, making large‑scale data theft unlikely.

References

https://www.zdnet.com/article/linus-torvalds-talks-frankly-about-intel-security-bugs/

https://www.theregister.com/2020/06/02/linus_torvalds_kernel_intel_patch/

https://lore.kernel.org/lkml/CAHk-=wgXf_wQ9zrJKv2Hy4EpEbLuqty-Cjbs2u00gm7XcYHBfw@mail.gmail.com/