blob: 583ddc185ba220276cd3316b7bc1c9bbe115c206 [file] [log] [blame]
Pawan Guptaa7a248c2019-10-23 12:32:55 +02001.. SPDX-License-Identifier: GPL-2.0
2
3TSX Async Abort (TAA) mitigation
4================================
5
6.. _tsx_async_abort:
7
8Overview
9--------
10
11TSX Async Abort (TAA) is a side channel attack on internal buffers in some
12Intel processors similar to Microachitectural Data Sampling (MDS). In this
13case certain loads may speculatively pass invalid data to dependent operations
14when an asynchronous abort condition is pending in a Transactional
15Synchronization Extensions (TSX) transaction. This includes loads with no
16fault or assist condition. Such loads may speculatively expose stale data from
17the same uarch data structures as in MDS, with same scope of exposure i.e.
18same-thread and cross-thread. This issue affects all current processors that
19support TSX.
20
21Mitigation strategy
22-------------------
23
24a) TSX disable - one of the mitigations is to disable TSX. A new MSR
25IA32_TSX_CTRL will be available in future and current processors after
26microcode update which can be used to disable TSX. In addition, it
27controls the enumeration of the TSX feature bits (RTM and HLE) in CPUID.
28
29b) Clear CPU buffers - similar to MDS, clearing the CPU buffers mitigates this
30vulnerability. More details on this approach can be found in
31:ref:`Documentation/admin-guide/hw-vuln/mds.rst <mds>`.
32
33Kernel internal mitigation modes
34--------------------------------
35
36 ============= ============================================================
37 off Mitigation is disabled. Either the CPU is not affected or
38 tsx_async_abort=off is supplied on the kernel command line.
39
40 tsx disabled Mitigation is enabled. TSX feature is disabled by default at
41 bootup on processors that support TSX control.
42
43 verw Mitigation is enabled. CPU is affected and MD_CLEAR is
44 advertised in CPUID.
45
46 ucode needed Mitigation is enabled. CPU is affected and MD_CLEAR is not
47 advertised in CPUID. That is mainly for virtualization
48 scenarios where the host has the updated microcode but the
49 hypervisor does not expose MD_CLEAR in CPUID. It's a best
50 effort approach without guarantee.
51 ============= ============================================================
52
53If the CPU is affected and the "tsx_async_abort" kernel command line parameter is
54not provided then the kernel selects an appropriate mitigation depending on the
55status of RTM and MD_CLEAR CPUID bits.
56
57Below tables indicate the impact of tsx=on|off|auto cmdline options on state of
58TAA mitigation, VERW behavior and TSX feature for various combinations of
59MSR_IA32_ARCH_CAPABILITIES bits.
60
611. "tsx=off"
62
63========= ========= ============ ============ ============== =================== ======================
64MSR_IA32_ARCH_CAPABILITIES bits Result with cmdline tsx=off
65---------------------------------- -------------------------------------------------------------------------
66TAA_NO MDS_NO TSX_CTRL_MSR TSX state VERW can clear TAA mitigation TAA mitigation
67 after bootup CPU buffers tsx_async_abort=off tsx_async_abort=full
68========= ========= ============ ============ ============== =================== ======================
69 0 0 0 HW default Yes Same as MDS Same as MDS
70 0 0 1 Invalid case Invalid case Invalid case Invalid case
71 0 1 0 HW default No Need ucode update Need ucode update
72 0 1 1 Disabled Yes TSX disabled TSX disabled
73 1 X 1 Disabled X None needed None needed
74========= ========= ============ ============ ============== =================== ======================
75
762. "tsx=on"
77
78========= ========= ============ ============ ============== =================== ======================
79MSR_IA32_ARCH_CAPABILITIES bits Result with cmdline tsx=on
80---------------------------------- -------------------------------------------------------------------------
81TAA_NO MDS_NO TSX_CTRL_MSR TSX state VERW can clear TAA mitigation TAA mitigation
82 after bootup CPU buffers tsx_async_abort=off tsx_async_abort=full
83========= ========= ============ ============ ============== =================== ======================
84 0 0 0 HW default Yes Same as MDS Same as MDS
85 0 0 1 Invalid case Invalid case Invalid case Invalid case
86 0 1 0 HW default No Need ucode update Need ucode update
87 0 1 1 Enabled Yes None Same as MDS
88 1 X 1 Enabled X None needed None needed
89========= ========= ============ ============ ============== =================== ======================
90
913. "tsx=auto"
92
93========= ========= ============ ============ ============== =================== ======================
94MSR_IA32_ARCH_CAPABILITIES bits Result with cmdline tsx=auto
95---------------------------------- -------------------------------------------------------------------------
96TAA_NO MDS_NO TSX_CTRL_MSR TSX state VERW can clear TAA mitigation TAA mitigation
97 after bootup CPU buffers tsx_async_abort=off tsx_async_abort=full
98========= ========= ============ ============ ============== =================== ======================
99 0 0 0 HW default Yes Same as MDS Same as MDS
100 0 0 1 Invalid case Invalid case Invalid case Invalid case
101 0 1 0 HW default No Need ucode update Need ucode update
102 0 1 1 Disabled Yes TSX disabled TSX disabled
103 1 X 1 Enabled X None needed None needed
104========= ========= ============ ============ ============== =================== ======================
105
106In the tables, TSX_CTRL_MSR is a new bit in MSR_IA32_ARCH_CAPABILITIES that
107indicates whether MSR_IA32_TSX_CTRL is supported.
108
109There are two control bits in IA32_TSX_CTRL MSR:
110
111 Bit 0: When set it disables the Restricted Transactional Memory (RTM)
112 sub-feature of TSX (will force all transactions to abort on the
113 XBEGIN instruction).
114
115 Bit 1: When set it disables the enumeration of the RTM and HLE feature
116 (i.e. it will make CPUID(EAX=7).EBX{bit4} and
117 CPUID(EAX=7).EBX{bit11} read as 0).