From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linutronix.de (193.142.43.55:993) by crypto-ml.lab.linutronix.de with IMAP4-SSL for ; 15 Oct 2019 17:47:25 -0000 Received: from mx2.suse.de ([195.135.220.15] helo=mx1.suse.de) by Galois.linutronix.de with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1iKQuq-0004nI-Fb for speck@linutronix.de; Tue, 15 Oct 2019 19:47:25 +0200 Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 06312AD77 for ; Tue, 15 Oct 2019 17:47:14 +0000 (UTC) Date: Tue, 15 Oct 2019 19:47:02 +0200 From: Borislav Petkov Subject: [MODERATED] Re: [PATCH v5 08/11] TAAv5 8 Message-ID: <20191015174702.GF1815@zn.tnic> References: <20191009131251.GD6616@dhcp22.suse.cz> <20191014210458.GF4957@zn.tnic> <20191015103454.GW317@dhcp22.suse.cz> MIME-Version: 1.0 In-Reply-To: <20191015103454.GW317@dhcp22.suse.cz> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable To: speck@linutronix.de List-ID: On Tue, Oct 15, 2019 at 12:34:54PM +0200, speck for Michal Hocko wrote: > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig > index d6e1faa28c58..9823e34b81ce 100644 > --- a/arch/x86/Kconfig > +++ b/arch/x86/Kconfig > @@ -1940,6 +1940,28 @@ config X86_INTEL_MEMORY_PROTECTION_KEYS > =20 > If unsure, say y. > =20 > +config X86_INTEL_ENABLE_SAFE_TSX > + prompt "" Needs a prompt sentence, otherwise it looks like this in menuconfig: =E2=94=82 =E2=94=82 [ ] Intel Memory Protec= tion Keys = =E2=94=82 =E2=94=82 =E2=94=82 =E2=94=82 [ ] (NEW) = = =E2=94=82 =E2=94=82 =E2=94=82 =E2=94=82 [*] EFI runtime service= support > + def_bool n > + depends on CPU_SUP_INTEL > + ---help--- > + Intel's TSX (Transactional Synchronization Extensions) feature > + allows to optimize locking protocols through lock elision which > + can lead to a noticeable performance boost. > + > + On the other hand it has been shown that TSX can be exploited > + to form side channel attacks (e.g. TAA) and chances are there > + will be more of those attacks discovered in the future. > + > + Therefore the TSX is not enabled by default. An admin might override s/the // > + this decision by tsx=3Don command line parameter. This has a risk that > + TSX will get enabled also on platforms which are known to be vulnerable > + to attacks like TAA and a safer option is to use tsx=3Dauto command line > + parameter. Enabling this config option will make tsx=3Dauto the default. > + See Documentation/admin-guide/kernel-parameters.txt for more details. > + > + If you really benefit from TSX then enable this option, otherwise say n. ^ and you know what you're doing, > + > config EFI > bool "EFI runtime service support" > depends on ACPI > diff --git a/arch/x86/kernel/cpu/tsx.c b/arch/x86/kernel/cpu/tsx.c > index 96320449abb7..d3dc1ce5cd4b 100644 > --- a/arch/x86/kernel/cpu/tsx.c > +++ b/arch/x86/kernel/cpu/tsx.c > @@ -69,6 +69,14 @@ static bool __init tsx_ctrl_is_supported(void) > return !!(ia32_cap & ARCH_CAP_TSX_CTRL_MSR); > } > =20 > +static enum tsx_ctrl_states x86_safe_tsx_mode(void) x86_get_tsx_mode() Thx. --=20 Regards/Gruss, Boris. SUSE Software Solutions Germany GmbH, GF: Felix Imend=C3=B6rffer, HRB 36809, = AG N=C3=BCrnberg --=20