On 10/10/2019 00:38, speck for Andrew Cooper wrote: > On 10/10/2019 00:22, speck for Pawan Gupta wrote: >> Transactional Synchronization Extensions (TSX) may be used on certain >> processors as part of a speculative side channel attack. A microcode >> update for existing processors that are vulnerable to this attack will >> add a new MSR, IA32_TSX_CTRL to allow the system administrator the >> option to disable TSX as one of the possible mitigations. [Note that >> future processors that are not vulnerable will also support the >> IA32_TSX_CTRL MSR]. Add defines for the new IA32_TSX_CTRL MSR and its >> bits. >> >> TSX has two sub-features: >> >> 1. Restricted Transactional Memory (RTM) is an explicitly-used feature >> where new instructions begin and end TSX transactions. >> 2. Hardware Lock Elision (HLE) is implicitly used when certain kinds of >> "old" style locks are used by software. >> >> Bit 7 of the IA32_ARCH_CAPABILITIES indicates the presence of the >> IA32_TSX_CTRL MSR. >> >> There are two control bits in IA32_TSX_CTRL MSR: >> >> Bit 0: When set it disables the Restricted Transactional Memory (RTM) >> sub-feature of TSX (will force all transactions to abort on the >> XBEGIN instruction). >> >> Bit 1: When set it disables the enumeration of the RTM and HLE feature >> (i.e. it will make CPUID(EAX=7).EBX{bit4} and >> CPUID(EAX=7).EBX{bit11} read as 0). >> >> The other TSX sub-feature, Hardware Lock Elision (HLE), is unconditionally >> disabled but still enumerated as present by CPUID(EAX=7).EBX{bit4}. > So one paragraph was changed, but not this one it seems. > > As for HLE itself, bit 0 is specified to disable it, along with RTM.  > (Or at least, it says so in the latest doc I have on the subject). > > I don't know what the enabled status of HLE is on the MDS_NO, TAA parts, > and whether it is statically disabled with the TSX_CTRL microcode, but > if it isn't statically disabled then it needs to be dynamically disabled > by bit 0, or a 'CLFLUSH; XBEGIN ...; MOV secret' can still be used to > exploit TAA. Apologies.  That is the RTM sequence. For HLE, I meant 'CLFLUSH; XAQUIRE ...; MOV secret'. ~Andrew