From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <mhocko@suse.com>
Received: from mail.linutronix.de (193.142.43.55:993) by
  crypto-ml.lab.linutronix.de with IMAP4-SSL for <speck@linutronix.de>; 25 Oct
  2019 10:47:54 -0000
Received: from mx2.suse.de ([195.135.220.15] helo=mx1.suse.de)
	by Galois.linutronix.de with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256)
	(Exim 4.80)
	(envelope-from <mhocko@suse.com>)
	id 1iNx8L-0005aN-An
	for speck@linutronix.de; Fri, 25 Oct 2019 12:47:53 +0200
Received: from relay2.suse.de (unknown [195.135.220.254])
	by mx1.suse.de (Postfix) with ESMTP id 95CB9B16B
	for <speck@linutronix.de>; Fri, 25 Oct 2019 10:47:47 +0000 (UTC)
Date: Fri, 25 Oct 2019 12:47:47 +0200
From: Michal Hocko <mhocko@suse.com>
Subject: [MODERATED] Re: ***UNCHECKED*** Re: [PATCH 9/9] TAA 9
Message-ID: <20191025104747.GC17610@dhcp22.suse.cz>
References: <cover.1571905227.git.bp@suse.de>
 <33b6f0fd589ba3ea35f05aacbcda0be19352a994.1571905227.git.bp@suse.de>
 <20191024161016.dnqexztns5xaiwh2@treble>
 <20191024165828.GF14115@zn.tnic>
MIME-Version: 1.0
In-Reply-To: <20191024165828.GF14115@zn.tnic>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
To: speck@linutronix.de
List-ID: <speck.linutronix.de>

On Thu 24-10-19 18:58:28, speck for Borislav Petkov wrote:
> On Thu, Oct 24, 2019 at 11:10:16AM -0500, speck for Josh Poimboeuf wrote:
> > I think this is misleading.  tsx=on doesn't make you vulnerable to TAA,
> > because we still the TAA mitigation.
> 
> Changed to:
> 
>           Therefore TSX is not enabled by default (aka tsx=off). An admin
>           might override this decision by tsx=on the command line parameter.
>           Even with TSX enabled, the kernel will attempt to enable the best 
>           possible TAA mitigation setting depending on the microcode available 
>           for the particular machine.
> 
> > tsx=on vs tsx=auto is not a security consideration, but rather a
> > performance one.  With tsx=auto you disable TSX on some TAA-affected
> > CPUs so you don't have to pay the performance penalty of the MDS
> > mitigations.
> 
> By performance penalty you mean, when you have TSX disabled on those
> parts, you'll save yourself the VERW which should be taking care of TAA
> too?
> 
> > 
> > > +
> > > +config X86_INTEL_TSX_MODE_OFF
> > > +	bool "off"
> > > +	help
> > > +	  TSX is always disabled - equals tsx=off command line parameter.
> > 
> > Define "always" :-)
> 
> Changed to:
> 
> "TSX is disabled if possible - equals to tsx=off command line parameter."

Thanks for refinements. The changelog and the help text was written at
the time when all this was still clear as mud.
-- 
Michal Hocko
SUSE Labs