From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linutronix.de (193.142.43.55:993) by crypto-ml.lab.linutronix.de with IMAP4-SSL for ; 09 Oct 2019 23:38:18 -0000 Received: from esa4.hc3370-68.iphmx.com ([216.71.155.144]) by Galois.linutronix.de with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1iILX7-0004rp-HZ for speck@linutronix.de; Thu, 10 Oct 2019 01:38:18 +0200 Subject: [MODERATED] Re: [PATCH v6 1/9] TAAv6 1 References: =?utf-8?q?=3C4102a059c94384a1cbb2c1919eb446683cce9399=2E1570658888=2Egi?= =?utf-8?q?t=2Epawan=2Ekumar=2Egupta=40linux=2Eintel=2Ecom=3E?= From: Andrew Cooper Message-ID: <761bccc8-4880-a190-a32f-98a487f0329e@citrix.com> Date: Thu, 10 Oct 2019 00:38:03 +0100 MIME-Version: 1.0 In-Reply-To: =?utf-8?q?=3C4102a059c94384a1cbb2c1919eb446683cce9399=2E15706?= =?utf-8?q?58888=2Egit=2Epawan=2Ekumar=2Egupta=40linux=2Eintel=2Ecom=3E?= Content-Type: multipart/mixed; boundary="MkYM1JCjlH846DLohul69zJ9K288iinrk"; protected-headers="v1" To: speck@linutronix.de List-ID: --MkYM1JCjlH846DLohul69zJ9K288iinrk Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Language: en-GB On 10/10/2019 00:22, speck for Pawan Gupta wrote: > Transactional Synchronization Extensions (TSX) may be used on certain > processors as part of a speculative side channel attack. A microcode > update for existing processors that are vulnerable to this attack will > add a new MSR, IA32_TSX_CTRL to allow the system administrator the > option to disable TSX as one of the possible mitigations. [Note that > future processors that are not vulnerable will also support the > IA32_TSX_CTRL MSR]. Add defines for the new IA32_TSX_CTRL MSR and its > bits. > > TSX has two sub-features: > > 1. Restricted Transactional Memory (RTM) is an explicitly-used feature > where new instructions begin and end TSX transactions. > 2. Hardware Lock Elision (HLE) is implicitly used when certain kinds of= > "old" style locks are used by software. > > Bit 7 of the IA32_ARCH_CAPABILITIES indicates the presence of the > IA32_TSX_CTRL MSR. > > There are two control bits in IA32_TSX_CTRL MSR: > > Bit 0: When set it disables the Restricted Transactional Memory (RTM)= > sub-feature of TSX (will force all transactions to abort on th= e > XBEGIN instruction). > > Bit 1: When set it disables the enumeration of the RTM and HLE featur= e > (i.e. it will make CPUID(EAX=3D7).EBX{bit4} and > CPUID(EAX=3D7).EBX{bit11} read as 0). > > The other TSX sub-feature, Hardware Lock Elision (HLE), is unconditiona= lly > disabled but still enumerated as present by CPUID(EAX=3D7).EBX{bit4}. So one paragraph was changed, but not this one it seems. As for HLE itself, bit 0 is specified to disable it, along with RTM.=C2=A0= (Or at least, it says so in the latest doc I have on the subject). I don't know what the enabled status of HLE is on the MDS_NO, TAA parts, and whether it is statically disabled with the TSX_CTRL microcode, but if it isn't statically disabled then it needs to be dynamically disabled by bit 0, or a 'CLFLUSH; XBEGIN ...; MOV secret' can still be used to exploit TAA. ~Andrew --MkYM1JCjlH846DLohul69zJ9K288iinrk--