[oskarw85]

My understanding was that Zenbleed code runs in userspace therefore it doesn't matter if kernel/libraries use AVX optimizations or not. That jab against Linux sounds like blame shifting and moving discussion away from the fact that OpenBSD did not offer microcode update at all.

[nemetroid]

I don't agree, I think it's a fair assessment of the impact.

For data to be exfiltrated through this exploit, the sensitive data must first be loaded into an AVX register. On GNU/Linux this happens all the time, because strcmp et al use AVX. On OpenBSD this is not the case, so only applications that themselves are loading sensitive data into AVX registers would be vulnerable.

Anyway, OpenBSD users have the new microcode now, while most Linux users don't (I checked Arch, Fedora and Ubuntu, none of them has updated their packaging yet).

[loeg]

Zenbleed's impact is due to userspace (including library) use of AVX registers. Glibc is part of userspace. OpenBSD libc is not glibc. It's a valid difference.

I don't think this is an example of foresight / good design choice, though. They just got lucky that no one cared enough to do performance optimization on their libc string functions.