tsx_async_abort.rst (6974B)
1.. SPDX-License-Identifier: GPL-2.0 2 3TSX Async Abort (TAA) mitigation 4================================ 5 6.. _tsx_async_abort: 7 8Overview 9-------- 10 11TSX Async Abort (TAA) is a side channel attack on internal buffers in some 12Intel processors similar to Microachitectural Data Sampling (MDS). In this 13case certain loads may speculatively pass invalid data to dependent operations 14when an asynchronous abort condition is pending in a Transactional 15Synchronization Extensions (TSX) transaction. This includes loads with no 16fault or assist condition. Such loads may speculatively expose stale data from 17the same uarch data structures as in MDS, with same scope of exposure i.e. 18same-thread and cross-thread. This issue affects all current processors that 19support TSX. 20 21Mitigation strategy 22------------------- 23 24a) TSX disable - one of the mitigations is to disable TSX. A new MSR 25IA32_TSX_CTRL will be available in future and current processors after 26microcode update which can be used to disable TSX. In addition, it 27controls the enumeration of the TSX feature bits (RTM and HLE) in CPUID. 28 29b) Clear CPU buffers - similar to MDS, clearing the CPU buffers mitigates this 30vulnerability. More details on this approach can be found in 31:ref:`Documentation/admin-guide/hw-vuln/mds.rst <mds>`. 32 33Kernel internal mitigation modes 34-------------------------------- 35 36 ============= ============================================================ 37 off Mitigation is disabled. Either the CPU is not affected or 38 tsx_async_abort=off is supplied on the kernel command line. 39 40 tsx disabled Mitigation is enabled. TSX feature is disabled by default at 41 bootup on processors that support TSX control. 42 43 verw Mitigation is enabled. CPU is affected and MD_CLEAR is 44 advertised in CPUID. 45 46 ucode needed Mitigation is enabled. CPU is affected and MD_CLEAR is not 47 advertised in CPUID. That is mainly for virtualization 48 scenarios where the host has the updated microcode but the 49 hypervisor does not expose MD_CLEAR in CPUID. It's a best 50 effort approach without guarantee. 51 ============= ============================================================ 52 53If the CPU is affected and the "tsx_async_abort" kernel command line parameter is 54not provided then the kernel selects an appropriate mitigation depending on the 55status of RTM and MD_CLEAR CPUID bits. 56 57Below tables indicate the impact of tsx=on|off|auto cmdline options on state of 58TAA mitigation, VERW behavior and TSX feature for various combinations of 59MSR_IA32_ARCH_CAPABILITIES bits. 60 611. "tsx=off" 62 63========= ========= ============ ============ ============== =================== ====================== 64MSR_IA32_ARCH_CAPABILITIES bits Result with cmdline tsx=off 65---------------------------------- ------------------------------------------------------------------------- 66TAA_NO MDS_NO TSX_CTRL_MSR TSX state VERW can clear TAA mitigation TAA mitigation 67 after bootup CPU buffers tsx_async_abort=off tsx_async_abort=full 68========= ========= ============ ============ ============== =================== ====================== 69 0 0 0 HW default Yes Same as MDS Same as MDS 70 0 0 1 Invalid case Invalid case Invalid case Invalid case 71 0 1 0 HW default No Need ucode update Need ucode update 72 0 1 1 Disabled Yes TSX disabled TSX disabled 73 1 X 1 Disabled X None needed None needed 74========= ========= ============ ============ ============== =================== ====================== 75 762. "tsx=on" 77 78========= ========= ============ ============ ============== =================== ====================== 79MSR_IA32_ARCH_CAPABILITIES bits Result with cmdline tsx=on 80---------------------------------- ------------------------------------------------------------------------- 81TAA_NO MDS_NO TSX_CTRL_MSR TSX state VERW can clear TAA mitigation TAA mitigation 82 after bootup CPU buffers tsx_async_abort=off tsx_async_abort=full 83========= ========= ============ ============ ============== =================== ====================== 84 0 0 0 HW default Yes Same as MDS Same as MDS 85 0 0 1 Invalid case Invalid case Invalid case Invalid case 86 0 1 0 HW default No Need ucode update Need ucode update 87 0 1 1 Enabled Yes None Same as MDS 88 1 X 1 Enabled X None needed None needed 89========= ========= ============ ============ ============== =================== ====================== 90 913. "tsx=auto" 92 93========= ========= ============ ============ ============== =================== ====================== 94MSR_IA32_ARCH_CAPABILITIES bits Result with cmdline tsx=auto 95---------------------------------- ------------------------------------------------------------------------- 96TAA_NO MDS_NO TSX_CTRL_MSR TSX state VERW can clear TAA mitigation TAA mitigation 97 after bootup CPU buffers tsx_async_abort=off tsx_async_abort=full 98========= ========= ============ ============ ============== =================== ====================== 99 0 0 0 HW default Yes Same as MDS Same as MDS 100 0 0 1 Invalid case Invalid case Invalid case Invalid case 101 0 1 0 HW default No Need ucode update Need ucode update 102 0 1 1 Disabled Yes TSX disabled TSX disabled 103 1 X 1 Enabled X None needed None needed 104========= ========= ============ ============ ============== =================== ====================== 105 106In the tables, TSX_CTRL_MSR is a new bit in MSR_IA32_ARCH_CAPABILITIES that 107indicates whether MSR_IA32_TSX_CTRL is supported. 108 109There are two control bits in IA32_TSX_CTRL MSR: 110 111 Bit 0: When set it disables the Restricted Transactional Memory (RTM) 112 sub-feature of TSX (will force all transactions to abort on the 113 XBEGIN instruction). 114 115 Bit 1: When set it disables the enumeration of the RTM and HLE feature 116 (i.e. it will make CPUID(EAX=7).EBX{bit4} and 117 CPUID(EAX=7).EBX{bit11} read as 0).