Stopping Zenbleed (CVE-2023-20593) on Windows
The newly discovered Zenbleed vulnerability (CVE-2023-20593) affects all Zen2 processors from AMD. Unfortunately, AMD will not provide microcode updates for many of its processors until November or December 2023. How to stay safe in the meantime? Luckily, there is a software workaround. While applying the software workaround is a one-liner on Linux, matters are more complicated on Windows.
To apply the software workaround, a certain bit (the chicken bit DE_CFG) has to be set in the MSR CPU register. As pointed out by Travis Ormandy the following command (https://cmpxchg8b.com/zenbleed.html#workaround) can be used to avoid Zenbleed on Linux:
# wrmsr -a 0xc0011029 $(($(rdmsr -c 0xc0011029) | (1<<9)))
Under Windows setting the MSR register is more difficult. Only kernel-level drivers are allowed to write to the MSR register. Moreover, to load a kernel-level driver, it needs to be signed. That is why we decided to use the existing WinRing0 driver from OpenLibSys.org. We wrote a PowerShell script that loads WinRing0, sends the appropriate MSR write requests to the drivers and unloads the WinRing0 driver immediately afterwards. Currently, our PowerShell script only works when Hyper-V is disabled. Our PowerShell script is hosted here: https://github.com/sbaresearch/stop-zenbleed-win Please note that the PowerShell script does come with a couple of caveats. Please read the accompanying README file and perform a risk analysis for your specific environment before using the script.