412 lines
17 KiB
Diff
412 lines
17 KiB
Diff
From: speck for Pawan Gupta <speck@linutronix.de>
|
|
Date: Wed, 9 Oct 2019 16:29:57 -0700
|
|
Subject: TAAv6 8
|
|
|
|
Add the documenation for TSX Async Abort. Include the description of
|
|
the issue, how to check the mitigation state, control the mitigation,
|
|
guidance for system administrators.
|
|
|
|
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
|
|
Co-developed-by: Antonio Gomez Iglesias <antonio.gomez.iglesias@intel.com>
|
|
Signed-off-by: Antonio Gomez Iglesias <antonio.gomez.iglesias@intel.com>
|
|
Reviewed-by: Mark Gross <mgross@linux.intel.com>
|
|
Reviewed-by: Tony Luck <tony.luck@intel.com>
|
|
[bwh: Forward-ported on top of NX: Fix conflict (neighbouring
|
|
insertions) in Documentation/ABI/testing/sysfs-devices-system-cpu]
|
|
[bwh: Backported to 4.19: adjust context]
|
|
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
|
---
|
|
.../ABI/testing/sysfs-devices-system-cpu | 1 +
|
|
Documentation/admin-guide/hw-vuln/index.rst | 1 +
|
|
.../admin-guide/hw-vuln/tsx_async_abort.rst | 240 ++++++++++++++++++
|
|
.../admin-guide/kernel-parameters.txt | 36 +++
|
|
Documentation/x86/index.rst | 1 +
|
|
Documentation/x86/tsx_async_abort.rst | 54 ++++
|
|
6 files changed, 333 insertions(+)
|
|
create mode 100644 Documentation/admin-guide/hw-vuln/tsx_async_abort.rst
|
|
create mode 100644 Documentation/x86/tsx_async_abort.rst
|
|
|
|
--- a/Documentation/ABI/testing/sysfs-devices-system-cpu
|
|
+++ b/Documentation/ABI/testing/sysfs-devices-system-cpu
|
|
@@ -479,6 +479,7 @@ What: /sys/devices/system/cpu/vulnerabi
|
|
/sys/devices/system/cpu/vulnerabilities/l1tf
|
|
/sys/devices/system/cpu/vulnerabilities/mds
|
|
/sys/devices/system/cpu/vulnerabilities/itlb_multihit
|
|
+ /sys/devices/system/cpu/vulnerabilities/tsx_async_abort
|
|
Date: January 2018
|
|
Contact: Linux kernel mailing list <linux-kernel@vger.kernel.org>
|
|
Description: Information about CPU vulnerabilities
|
|
--- a/Documentation/admin-guide/hw-vuln/index.rst
|
|
+++ b/Documentation/admin-guide/hw-vuln/index.rst
|
|
@@ -12,3 +12,4 @@ are configurable at compile, boot or run
|
|
spectre
|
|
l1tf
|
|
mds
|
|
+ tsx_async_abort
|
|
--- /dev/null
|
|
+++ b/Documentation/admin-guide/hw-vuln/tsx_async_abort.rst
|
|
@@ -0,0 +1,240 @@
|
|
+TAA - TSX Asynchronous Abort
|
|
+======================================
|
|
+
|
|
+TAA is a hardware vulnerability that allows unprivileged speculative access to
|
|
+data which is available in various CPU internal buffers by using asynchronous
|
|
+aborts within an Intel TSX transactional region.
|
|
+
|
|
+Affected processors
|
|
+-------------------
|
|
+
|
|
+This vulnerability only affects Intel processors that support Intel
|
|
+Transactional Synchronization Extensions (TSX) when the TAA_NO bit (bit 8)
|
|
+is 0 in the IA32_ARCH_CAPABILITIES MSR. On processors where the MDS_NO bit
|
|
+(bit 5)is 0 in the IA32_ARCH_CAPABILITIES MSR, the existing MDS mitigations
|
|
+also mitigate against TAA.
|
|
+
|
|
+Whether a processor is affected or not can be read out from the TAA
|
|
+vulnerability file in sysfs. See :ref:`tsx_async_abort_sys_info`.
|
|
+
|
|
+Related CVEs
|
|
+------------
|
|
+
|
|
+The following CVE entry is related to this TAA issue:
|
|
+
|
|
+ ============== ===== ===================================================
|
|
+ CVE-2019-11135 TAA TSX Asynchronous Abort (TAA) condition on some
|
|
+ microprocessors utilizing speculative execution may
|
|
+ allow an authenticated user to potentially enable
|
|
+ information disclosure via a side channel with
|
|
+ local access.
|
|
+ ============== ===== ===================================================
|
|
+
|
|
+Problem
|
|
+-------
|
|
+
|
|
+When performing store, load, L1 refill operations, processors write data into
|
|
+temporary microarchitectural structures (buffers). The data in the buffer can
|
|
+be forwarded to load operations as an optimization.
|
|
+
|
|
+Intel TSX are an extension to the x86 instruction set architecture that adds
|
|
+hardware transactional memory support to improve performance of multi-threaded
|
|
+software. TSX lets the processor expose and exploit concurrence hidden in an
|
|
+application due to dynamically avoiding unnecessary synchronization.
|
|
+
|
|
+TSX supports atomic memory transactions that are either committed (success) or
|
|
+aborted. During an abort, operations that happened within the transactional region
|
|
+are rolled back. An asynchronous abort takes place, among other options, when a
|
|
+different thread accesses a cache line that is also used within the transactional
|
|
+region when that access might lead to a data race.
|
|
+
|
|
+Immediately after an uncompleted asynchronous abort, certain speculatively
|
|
+executed loads may read data from those internal buffers and pass it to dependent
|
|
+operations. This can be then used to infer the value via a cache side channel
|
|
+attack.
|
|
+
|
|
+Because the buffers are potentially shared between Hyper-Threads cross
|
|
+Hyper-Thread attacks are possible.
|
|
+
|
|
+The victim of a malicious actor does not need to make use of TSX. Only the
|
|
+attacker needs to begin a TSX transaction and raise an asynchronous abort
|
|
+to try to leak some of data stored in the buffers.
|
|
+
|
|
+Deeper technical information is available in the TAA specific x86 architecture
|
|
+section: :ref:`Documentation/x86/tsx_async_abort.rst <tsx_async_abort>`.
|
|
+
|
|
+
|
|
+Attack scenarios
|
|
+----------------
|
|
+
|
|
+Attacks against the TAA vulnerability can be implemented from unprivileged
|
|
+applications running on hosts or guests.
|
|
+
|
|
+As for MDS, the attacker has no control over the memory addresses that can be
|
|
+leaked. Only the victim is responsible for bringing data to the CPU. As a
|
|
+result, the malicious actor has to first sample as much data as possible and
|
|
+then postprocess it to try to infer any useful information from it.
|
|
+
|
|
+A potential attacker only has read access to the data. Also, there is no direct
|
|
+privilege escalation by using this technique.
|
|
+
|
|
+
|
|
+.. _tsx_async_abort_sys_info:
|
|
+
|
|
+TAA system information
|
|
+-----------------------
|
|
+
|
|
+The Linux kernel provides a sysfs interface to enumerate the current TAA status
|
|
+of mitigated systems. The relevant sysfs file is:
|
|
+
|
|
+/sys/devices/system/cpu/vulnerabilities/tsx_async_abort
|
|
+
|
|
+The possible values in this file are:
|
|
+
|
|
+.. list-table::
|
|
+
|
|
+ * - 'Vulnerable'
|
|
+ - The CPU is affected by this vulnerability and the microcode and kernel mitigation are not applied.
|
|
+ * - 'Vulnerable: Clear CPU buffers attempted, no microcode'
|
|
+ - The system tries to clear the buffers but the microcode might not support the operation.
|
|
+ * - 'Mitigation: Clear CPU buffers'
|
|
+ - The microcode has been updated to clear the buffers. TSX is still enabled.
|
|
+ * - 'Mitigation: TSX disabled'
|
|
+ - TSX is disabled.
|
|
+ * - 'Not affected'
|
|
+ - The CPU is not affected by this issue.
|
|
+
|
|
+.. _ucode_needed:
|
|
+
|
|
+Best effort mitigation mode
|
|
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
|
+
|
|
+If the processor is vulnerable, but the availability of the microcode-based
|
|
+mitigation mechanism is not advertised via CPUID the kernel selects a best
|
|
+effort mitigation mode. This mode invokes the mitigation instructions
|
|
+without a guarantee that they clear the CPU buffers.
|
|
+
|
|
+This is done to address virtualization scenarios where the host has the
|
|
+microcode update applied, but the hypervisor is not yet updated to expose the
|
|
+CPUID to the guest. If the host has updated microcode the protection takes
|
|
+effect; otherwise a few CPU cycles are wasted pointlessly.
|
|
+
|
|
+The state in the tsx_async_abort sysfs file reflects this situation
|
|
+accordingly.
|
|
+
|
|
+
|
|
+Mitigation mechanism
|
|
+--------------------
|
|
+
|
|
+The kernel detects the affected CPUs and the presence of the microcode which is
|
|
+required. If a CPU is affected and the microcode is available, then the kernel
|
|
+enables the mitigation by default.
|
|
+
|
|
+
|
|
+The mitigation can be controlled at boot time via a kernel command line option.
|
|
+See :ref:`taa_mitigation_control_command_line`. It also provides a sysfs
|
|
+interface. See :ref:`taa_mitigation_sysfs`.
|
|
+
|
|
+.. _virt_mechanism:
|
|
+
|
|
+Virtualization mitigation
|
|
+^^^^^^^^^^^^^^^^^^^^^^^^^
|
|
+
|
|
+Affected systems where the host has the TAA microcode and the TAA mitigation is
|
|
+ON (with TSX disabled) are not vulnerable regardless of the status of the VMs.
|
|
+
|
|
+In all other cases, if the host either does not have the TAA microcode or the
|
|
+kernel is not mitigated, the system might be vulnerable.
|
|
+
|
|
+
|
|
+.. _taa_mitigation_control_command_line:
|
|
+
|
|
+Mitigation control on the kernel command line
|
|
+---------------------------------------------
|
|
+
|
|
+The kernel command line allows to control the TAA mitigations at boot time with
|
|
+the option "tsx_async_abort=". The valid arguments for this option are:
|
|
+
|
|
+ ============ =============================================================
|
|
+ off This option disables the TAA mitigation on affected platforms.
|
|
+ If the system has TSX enabled (see next parameter) and the CPU
|
|
+ is affected, the system is vulnerable.
|
|
+
|
|
+ full TAA mitigation is enabled. If TSX is enabled, on an affected
|
|
+ system it will clear CPU buffers on ring transitions. On
|
|
+ systems which are MDS-affected and deploy MDS mitigation,
|
|
+ TAA is also mitigated. Specifying this option on those
|
|
+ systems will have no effect.
|
|
+
|
|
+ full,nosmt The same as tsx_async_abort=full, with SMT disabled on
|
|
+ vulnerable CPUs that have TSX enabled. This is the complete
|
|
+ mitigation. When TSX is disabled, SMT is not disabled because
|
|
+ CPU is not vulnerable to cross-thread TAA attacks.
|
|
+ ============ =============================================================
|
|
+
|
|
+Not specifying this option is equivalent to "tsx_async_abort=full".
|
|
+
|
|
+The kernel command line also allows to control the TSX feature using the
|
|
+parameter "tsx=" on CPUs which support TSX control. MSR_IA32_TSX_CTRL is used
|
|
+to control the TSX feature and the enumeration of the TSX feature bits (RTM
|
|
+and HLE) in CPUID.
|
|
+
|
|
+The valid options are:
|
|
+
|
|
+ ============ =============================================================
|
|
+ off Disables TSX.
|
|
+
|
|
+ on Enables TSX.
|
|
+
|
|
+ auto Disables TSX on affected platform, otherwise enables TSX.
|
|
+ ============ =============================================================
|
|
+
|
|
+Not specifying this option is equivalent to "tsx=off".
|
|
+
|
|
+The following combinations of the "tsx_async_abort" and "tsx" are possible. For
|
|
+affected platforms tsx=auto is equivalent to tsx=off and the result will be:
|
|
+
|
|
+ ========= ==================== =========================================
|
|
+ tsx=on tsx_async_abort=full The system will use VERW to clear CPU
|
|
+ buffers.
|
|
+ tsx=on tsx_async_abort=off The system is vulnerable.
|
|
+ tsx=off tsx_async_abort=full TSX is disabled. System is not vulnerable.
|
|
+ tsx=off tsx_async_abort=off TSX is disabled. System is not vulnerable.
|
|
+ ========= ==================== =========================================
|
|
+
|
|
+For unaffected platforms "tsx=on" and "tsx_async_abort=full" does not clear CPU
|
|
+buffers. For platforms without TSX control "tsx" command line argument has no
|
|
+effect.
|
|
+
|
|
+
|
|
+Mitigation selection guide
|
|
+--------------------------
|
|
+
|
|
+1. Trusted userspace and guests
|
|
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
|
+
|
|
+If all user space applications are from a trusted source and do not execute
|
|
+untrusted code which is supplied externally, then the mitigation can be
|
|
+disabled. The same applies to virtualized environments with trusted guests.
|
|
+
|
|
+
|
|
+2. Untrusted userspace and guests
|
|
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
|
+
|
|
+If there are untrusted applications or guests on the system, enabling TSX
|
|
+might allow a malicious actor to leak data from the host or from other
|
|
+processes running on the same physical core.
|
|
+
|
|
+If the microcode is available and the TSX is disabled on the host, attacks
|
|
+are prevented in a virtualized environment as well, even if the VMs do not
|
|
+explicitly enable the mitigation.
|
|
+
|
|
+
|
|
+.. _taa_default_mitigations:
|
|
+
|
|
+Default mitigations
|
|
+-------------------
|
|
+
|
|
+The kernel's default action for vulnerable processors is:
|
|
+
|
|
+ - Deploy TSX disable mitigation (tsx_async_abort=full).
|
|
--- a/Documentation/admin-guide/kernel-parameters.txt
|
|
+++ b/Documentation/admin-guide/kernel-parameters.txt
|
|
@@ -2538,6 +2538,7 @@
|
|
spec_store_bypass_disable=off [X86,PPC]
|
|
l1tf=off [X86]
|
|
mds=off [X86]
|
|
+ tsx_async_abort=off [X86]
|
|
|
|
auto (default)
|
|
Mitigate all CPU vulnerabilities, but leave SMT
|
|
@@ -2553,6 +2554,7 @@
|
|
be fully mitigated, even if it means losing SMT.
|
|
Equivalent to: l1tf=flush,nosmt [X86]
|
|
mds=full,nosmt [X86]
|
|
+ tsx_async_abort=full,nosmt [X86]
|
|
|
|
mminit_loglevel=
|
|
[KNL] When CONFIG_DEBUG_MEMORY_INIT is set, this
|
|
@@ -4528,6 +4530,40 @@
|
|
neutralize any effect of /proc/sys/kernel/sysrq.
|
|
Useful for debugging.
|
|
|
|
+ tsx_async_abort= [X86,INTEL] Control mitigation for the TSX Async
|
|
+ Abort (TAA) vulnerability.
|
|
+
|
|
+ Similar to Micro-architectural Data Sampling (MDS)
|
|
+ certain CPUs that support Transactional
|
|
+ Synchronization Extensions (TSX) are vulnerable to an
|
|
+ exploit against CPU internal buffers which can forward
|
|
+ information to a disclosure gadget under certain
|
|
+ conditions.
|
|
+
|
|
+ In vulnerable processors, the speculatively forwarded
|
|
+ data can be used in a cache side channel attack, to
|
|
+ access data to which the attacker does not have direct
|
|
+ access.
|
|
+
|
|
+ This parameter controls the TAA mitigation. The
|
|
+ options are:
|
|
+
|
|
+ full - Enable TAA mitigation on vulnerable CPUs
|
|
+ full,nosmt - Enable TAA mitigation and disable SMT on
|
|
+ vulnerable CPUs. If TSX is disabled, SMT
|
|
+ is not disabled because CPU is not
|
|
+ vulnerable to cross-thread TAA attacks.
|
|
+ off - Unconditionally disable TAA mitigation
|
|
+
|
|
+ Not specifying this option is equivalent to
|
|
+ tsx_async_abort=full. On CPUs which are MDS affected
|
|
+ and deploy MDS mitigation, TAA mitigation is not
|
|
+ required and doesn't provide any additional
|
|
+ mitigation.
|
|
+
|
|
+ For details see:
|
|
+ Documentation/admin-guide/hw-vuln/tsx_async_abort.rst
|
|
+
|
|
tcpmhash_entries= [KNL,NET]
|
|
Set the number of tcp_metrics_hash slots.
|
|
Default value is 8192 or 16384 depending on total
|
|
--- a/Documentation/x86/index.rst
|
|
+++ b/Documentation/x86/index.rst
|
|
@@ -6,3 +6,4 @@ x86 architecture specifics
|
|
:maxdepth: 1
|
|
|
|
mds
|
|
+ tsx_async_abort
|
|
--- /dev/null
|
|
+++ b/Documentation/x86/tsx_async_abort.rst
|
|
@@ -0,0 +1,54 @@
|
|
+TSX Async Abort (TAA) mitigation
|
|
+=================================================
|
|
+
|
|
+.. _tsx_async_abort:
|
|
+
|
|
+Overview
|
|
+--------
|
|
+
|
|
+TSX Async Abort (TAA) is a side channel attack on internal buffers in some
|
|
+Intel processors similar to Microachitectural Data Sampling (MDS). In this
|
|
+case certain loads may speculatively pass invalid data to dependent operations
|
|
+when an asynchronous abort condition is pending in a Transactional
|
|
+Synchronization Extensions (TSX) transaction. This includes loads with no
|
|
+fault or assist condition. Such loads may speculatively expose stale data from
|
|
+the same uarch data structures as in MDS, with same scope of exposure i.e.
|
|
+same-thread and cross-thread. This issue affects all current processors that
|
|
+support TSX.
|
|
+
|
|
+Mitigation strategy
|
|
+-------------------
|
|
+
|
|
+a) TSX disable - One of the mitigation is to disable TSX feature. A new MSR
|
|
+IA32_TSX_CTRL will be available in future and current processors and after a
|
|
+microcode update in which can be used to disable TSX. This MSR can be used to
|
|
+disable the TSX feature and the enumeration of the TSX feature bits(RTM and
|
|
+HLE) in CPUID.
|
|
+
|
|
+b) CPU clear buffers - Similar to MDS, clearing the CPU buffers mitigates this
|
|
+vulnerability. More details on this approach can be found here
|
|
+https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
|
|
+
|
|
+Kernel internal mitigation modes
|
|
+--------------------------------
|
|
+
|
|
+ ============= ============================================================
|
|
+ off Mitigation is disabled. Either the CPU is not affected or
|
|
+ tsx_async_abort=off is supplied on the kernel command line.
|
|
+
|
|
+ tsx disabled Mitigation is enabled. TSX feature is disabled by default at
|
|
+ bootup on processors that support TSX control.
|
|
+
|
|
+ verw Mitigation is enabled. CPU is affected and MD_CLEAR is
|
|
+ advertised in CPUID.
|
|
+
|
|
+ ucode needed Mitigation is enabled. CPU is affected and MD_CLEAR is not
|
|
+ advertised in CPUID. That is mainly for virtualization
|
|
+ scenarios where the host has the updated microcode but the
|
|
+ hypervisor does not expose MD_CLEAR in CPUID. It's a best
|
|
+ effort approach without guarantee.
|
|
+ ============= ============================================================
|
|
+
|
|
+If the CPU is affected and "tsx_async_abort" kernel command line parameter is
|
|
+not provided then the kernel selects an appropriate mitigation depending on the
|
|
+status of RTM and MD_CLEAR CPUID bits.
|