From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linutronix.de (193.142.43.55:993) by crypto-ml.lab.linutronix.de with IMAP4-SSL for ; 09 Oct 2019 23:40:58 -0000 Received: from esa6.hc3370-68.iphmx.com ([216.71.155.175]) by Galois.linutronix.de with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1iILZg-00053G-Cp for speck@linutronix.de; Thu, 10 Oct 2019 01:40:57 +0200 Subject: [MODERATED] Re: [PATCH v6 1/9] TAAv6 1 References: =?utf-8?q?=3C4102a059c94384a1cbb2c1919eb446683cce9399=2E1570658888=2Egi?= =?utf-8?q?t=2Epawan=2Ekumar=2Egupta=40linux=2Eintel=2Ecom=3E?= <761bccc8-4880-a190-a32f-98a487f0329e@citrix.com> From: Andrew Cooper Message-ID: <39d7dc3c-242b-693f-c950-05ccea9dc3df@citrix.com> Date: Thu, 10 Oct 2019 00:40:45 +0100 MIME-Version: 1.0 In-Reply-To: <761bccc8-4880-a190-a32f-98a487f0329e@citrix.com> Content-Type: multipart/mixed; boundary="6cJn0JinCZJTCkr62nsBOu5t4lS7l105l"; protected-headers="v1" To: speck@linutronix.de List-ID: --6cJn0JinCZJTCkr62nsBOu5t4lS7l105l Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Language: en-GB On 10/10/2019 00:38, speck for Andrew Cooper wrote: > On 10/10/2019 00:22, speck for Pawan Gupta wrote: >> Transactional Synchronization Extensions (TSX) may be used on certain >> processors as part of a speculative side channel attack. A microcode >> update for existing processors that are vulnerable to this attack will= >> add a new MSR, IA32_TSX_CTRL to allow the system administrator the >> option to disable TSX as one of the possible mitigations. [Note that >> future processors that are not vulnerable will also support the >> IA32_TSX_CTRL MSR]. Add defines for the new IA32_TSX_CTRL MSR and its= >> bits. >> >> TSX has two sub-features: >> >> 1. Restricted Transactional Memory (RTM) is an explicitly-used feature= >> where new instructions begin and end TSX transactions. >> 2. Hardware Lock Elision (HLE) is implicitly used when certain kinds o= f >> "old" style locks are used by software. >> >> Bit 7 of the IA32_ARCH_CAPABILITIES indicates the presence of the >> IA32_TSX_CTRL MSR. >> >> There are two control bits in IA32_TSX_CTRL MSR: >> >> Bit 0: When set it disables the Restricted Transactional Memory (RTM= ) >> sub-feature of TSX (will force all transactions to abort on t= he >> XBEGIN instruction). >> >> Bit 1: When set it disables the enumeration of the RTM and HLE featu= re >> (i.e. it will make CPUID(EAX=3D7).EBX{bit4} and >> CPUID(EAX=3D7).EBX{bit11} read as 0). >> >> The other TSX sub-feature, Hardware Lock Elision (HLE), is uncondition= ally >> disabled but still enumerated as present by CPUID(EAX=3D7).EBX{bit4}. > So one paragraph was changed, but not this one it seems. > > As for HLE itself, bit 0 is specified to disable it, along with RTM.=C2= =A0 > (Or at least, it says so in the latest doc I have on the subject). > > I don't know what the enabled status of HLE is on the MDS_NO, TAA parts= , > and whether it is statically disabled with the TSX_CTRL microcode, but > if it isn't statically disabled then it needs to be dynamically disable= d > by bit 0, or a 'CLFLUSH; XBEGIN ...; MOV secret' can still be used to > exploit TAA. Apologies.=C2=A0 That is the RTM sequence. For HLE, I meant 'CLFLUSH; XAQUIRE ...; MOV secret'. ~Andrew --6cJn0JinCZJTCkr62nsBOu5t4lS7l105l--