1*4882a593Smuzhiyun.. SPDX-License-Identifier: GPL-2.0 2*4882a593Smuzhiyun 3*4882a593SmuzhiyunTSX Async Abort (TAA) mitigation 4*4882a593Smuzhiyun================================ 5*4882a593Smuzhiyun 6*4882a593Smuzhiyun.. _tsx_async_abort: 7*4882a593Smuzhiyun 8*4882a593SmuzhiyunOverview 9*4882a593Smuzhiyun-------- 10*4882a593Smuzhiyun 11*4882a593SmuzhiyunTSX Async Abort (TAA) is a side channel attack on internal buffers in some 12*4882a593SmuzhiyunIntel processors similar to Microachitectural Data Sampling (MDS). In this 13*4882a593Smuzhiyuncase certain loads may speculatively pass invalid data to dependent operations 14*4882a593Smuzhiyunwhen an asynchronous abort condition is pending in a Transactional 15*4882a593SmuzhiyunSynchronization Extensions (TSX) transaction. This includes loads with no 16*4882a593Smuzhiyunfault or assist condition. Such loads may speculatively expose stale data from 17*4882a593Smuzhiyunthe same uarch data structures as in MDS, with same scope of exposure i.e. 18*4882a593Smuzhiyunsame-thread and cross-thread. This issue affects all current processors that 19*4882a593Smuzhiyunsupport TSX. 20*4882a593Smuzhiyun 21*4882a593SmuzhiyunMitigation strategy 22*4882a593Smuzhiyun------------------- 23*4882a593Smuzhiyun 24*4882a593Smuzhiyuna) TSX disable - one of the mitigations is to disable TSX. A new MSR 25*4882a593SmuzhiyunIA32_TSX_CTRL will be available in future and current processors after 26*4882a593Smuzhiyunmicrocode update which can be used to disable TSX. In addition, it 27*4882a593Smuzhiyuncontrols the enumeration of the TSX feature bits (RTM and HLE) in CPUID. 28*4882a593Smuzhiyun 29*4882a593Smuzhiyunb) Clear CPU buffers - similar to MDS, clearing the CPU buffers mitigates this 30*4882a593Smuzhiyunvulnerability. More details on this approach can be found in 31*4882a593Smuzhiyun:ref:`Documentation/admin-guide/hw-vuln/mds.rst <mds>`. 32*4882a593Smuzhiyun 33*4882a593SmuzhiyunKernel internal mitigation modes 34*4882a593Smuzhiyun-------------------------------- 35*4882a593Smuzhiyun 36*4882a593Smuzhiyun ============= ============================================================ 37*4882a593Smuzhiyun off Mitigation is disabled. Either the CPU is not affected or 38*4882a593Smuzhiyun tsx_async_abort=off is supplied on the kernel command line. 39*4882a593Smuzhiyun 40*4882a593Smuzhiyun tsx disabled Mitigation is enabled. TSX feature is disabled by default at 41*4882a593Smuzhiyun bootup on processors that support TSX control. 42*4882a593Smuzhiyun 43*4882a593Smuzhiyun verw Mitigation is enabled. CPU is affected and MD_CLEAR is 44*4882a593Smuzhiyun advertised in CPUID. 45*4882a593Smuzhiyun 46*4882a593Smuzhiyun ucode needed Mitigation is enabled. CPU is affected and MD_CLEAR is not 47*4882a593Smuzhiyun advertised in CPUID. That is mainly for virtualization 48*4882a593Smuzhiyun scenarios where the host has the updated microcode but the 49*4882a593Smuzhiyun hypervisor does not expose MD_CLEAR in CPUID. It's a best 50*4882a593Smuzhiyun effort approach without guarantee. 51*4882a593Smuzhiyun ============= ============================================================ 52*4882a593Smuzhiyun 53*4882a593SmuzhiyunIf the CPU is affected and the "tsx_async_abort" kernel command line parameter is 54*4882a593Smuzhiyunnot provided then the kernel selects an appropriate mitigation depending on the 55*4882a593Smuzhiyunstatus of RTM and MD_CLEAR CPUID bits. 56*4882a593Smuzhiyun 57*4882a593SmuzhiyunBelow tables indicate the impact of tsx=on|off|auto cmdline options on state of 58*4882a593SmuzhiyunTAA mitigation, VERW behavior and TSX feature for various combinations of 59*4882a593SmuzhiyunMSR_IA32_ARCH_CAPABILITIES bits. 60*4882a593Smuzhiyun 61*4882a593Smuzhiyun1. "tsx=off" 62*4882a593Smuzhiyun 63*4882a593Smuzhiyun========= ========= ============ ============ ============== =================== ====================== 64*4882a593SmuzhiyunMSR_IA32_ARCH_CAPABILITIES bits Result with cmdline tsx=off 65*4882a593Smuzhiyun---------------------------------- ------------------------------------------------------------------------- 66*4882a593SmuzhiyunTAA_NO MDS_NO TSX_CTRL_MSR TSX state VERW can clear TAA mitigation TAA mitigation 67*4882a593Smuzhiyun after bootup CPU buffers tsx_async_abort=off tsx_async_abort=full 68*4882a593Smuzhiyun========= ========= ============ ============ ============== =================== ====================== 69*4882a593Smuzhiyun 0 0 0 HW default Yes Same as MDS Same as MDS 70*4882a593Smuzhiyun 0 0 1 Invalid case Invalid case Invalid case Invalid case 71*4882a593Smuzhiyun 0 1 0 HW default No Need ucode update Need ucode update 72*4882a593Smuzhiyun 0 1 1 Disabled Yes TSX disabled TSX disabled 73*4882a593Smuzhiyun 1 X 1 Disabled X None needed None needed 74*4882a593Smuzhiyun========= ========= ============ ============ ============== =================== ====================== 75*4882a593Smuzhiyun 76*4882a593Smuzhiyun2. "tsx=on" 77*4882a593Smuzhiyun 78*4882a593Smuzhiyun========= ========= ============ ============ ============== =================== ====================== 79*4882a593SmuzhiyunMSR_IA32_ARCH_CAPABILITIES bits Result with cmdline tsx=on 80*4882a593Smuzhiyun---------------------------------- ------------------------------------------------------------------------- 81*4882a593SmuzhiyunTAA_NO MDS_NO TSX_CTRL_MSR TSX state VERW can clear TAA mitigation TAA mitigation 82*4882a593Smuzhiyun after bootup CPU buffers tsx_async_abort=off tsx_async_abort=full 83*4882a593Smuzhiyun========= ========= ============ ============ ============== =================== ====================== 84*4882a593Smuzhiyun 0 0 0 HW default Yes Same as MDS Same as MDS 85*4882a593Smuzhiyun 0 0 1 Invalid case Invalid case Invalid case Invalid case 86*4882a593Smuzhiyun 0 1 0 HW default No Need ucode update Need ucode update 87*4882a593Smuzhiyun 0 1 1 Enabled Yes None Same as MDS 88*4882a593Smuzhiyun 1 X 1 Enabled X None needed None needed 89*4882a593Smuzhiyun========= ========= ============ ============ ============== =================== ====================== 90*4882a593Smuzhiyun 91*4882a593Smuzhiyun3. "tsx=auto" 92*4882a593Smuzhiyun 93*4882a593Smuzhiyun========= ========= ============ ============ ============== =================== ====================== 94*4882a593SmuzhiyunMSR_IA32_ARCH_CAPABILITIES bits Result with cmdline tsx=auto 95*4882a593Smuzhiyun---------------------------------- ------------------------------------------------------------------------- 96*4882a593SmuzhiyunTAA_NO MDS_NO TSX_CTRL_MSR TSX state VERW can clear TAA mitigation TAA mitigation 97*4882a593Smuzhiyun after bootup CPU buffers tsx_async_abort=off tsx_async_abort=full 98*4882a593Smuzhiyun========= ========= ============ ============ ============== =================== ====================== 99*4882a593Smuzhiyun 0 0 0 HW default Yes Same as MDS Same as MDS 100*4882a593Smuzhiyun 0 0 1 Invalid case Invalid case Invalid case Invalid case 101*4882a593Smuzhiyun 0 1 0 HW default No Need ucode update Need ucode update 102*4882a593Smuzhiyun 0 1 1 Disabled Yes TSX disabled TSX disabled 103*4882a593Smuzhiyun 1 X 1 Enabled X None needed None needed 104*4882a593Smuzhiyun========= ========= ============ ============ ============== =================== ====================== 105*4882a593Smuzhiyun 106*4882a593SmuzhiyunIn the tables, TSX_CTRL_MSR is a new bit in MSR_IA32_ARCH_CAPABILITIES that 107*4882a593Smuzhiyunindicates whether MSR_IA32_TSX_CTRL is supported. 108*4882a593Smuzhiyun 109*4882a593SmuzhiyunThere are two control bits in IA32_TSX_CTRL MSR: 110*4882a593Smuzhiyun 111*4882a593Smuzhiyun Bit 0: When set it disables the Restricted Transactional Memory (RTM) 112*4882a593Smuzhiyun sub-feature of TSX (will force all transactions to abort on the 113*4882a593Smuzhiyun XBEGIN instruction). 114*4882a593Smuzhiyun 115*4882a593Smuzhiyun Bit 1: When set it disables the enumeration of the RTM and HLE feature 116*4882a593Smuzhiyun (i.e. it will make CPUID(EAX=7).EBX{bit4} and 117*4882a593Smuzhiyun CPUID(EAX=7).EBX{bit11} read as 0). 118