Speculative register leakage from lazy FPU context switching

ISSUE DESCRIPTION

x86 has a hardware mechanism for lazy FPU context switching. On a task switch, %cr0.ts (Task Switched) gets set, and the next instruction to touch floating point state raises an #NM (No Math, later known as Device Not Available) exception.
Traditionally, FPU state has been large in comparison to available bandwidth (and therefore slow to switch) and not used as frequently as cpu tasks tend to switch. This mechanism allows the OS to only switch FPU when necessary, which in turn increases performance.
Some CPUs however speculate past an #NM exception, allowing register content to be leaked by a side-channel.
For more details, see: <a href=“https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html”>https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html</a>

IMPACT

An attacker can read x87/MMX/SSE/AVX/AVX-512 register state belonging to another vCPU previously scheduled on the same processor. This can be state belonging a different guest, or state belonging to a different thread inside the same guest.
Furthermore, similar changes are expected for OS kernels. Consult your operating system provider for more information.

VULNERABLE SYSTEMS

Systems running all versions of Xen are affected.
Only x86 processors are vulnerable. ARM processors are not known to be affected.
Only Intel Core based processors (from at least Nehalem onwards) are potentially affected. Other processor designs (Intel Atom/Knights range), and other manufacturers (AMD) are not known to be affected.