Annotation of wikisrc/security/intel_taa.mdwn, revision 1.1

1.1     ! maxv        1: [[!meta title="Intel TAA"]]
        !             2: 
        !             3: ###Description
        !             4: Details and mitigation information about a sub-class of speculative execution
        !             5: side-channel vulnerabilities called TSX Asynchronous Abort (TAA).
        !             6: 
        !             7: The TAA vulnerability is a sub-set of the MDS vulnerability, already mitigated
        !             8: in NetBSD.
        !             9: 
        !            10: ##Status of the Fix
        !            11: 
        !            12: NetBSD-8 and above have received a fix. NetBSD-7, and all the anterior releases,
        !            13: have no planned fixes.
        !            14: 
        !            15: ###Mitigation
        !            16: 
        !            17: The mitigation for TAA depends on the Intel CPU model and available microcode
        !            18: or motherboard BIOS revision.
        !            19: 
        !            20: You may also want to disable SMT/HyperThreading to address certain aspects of
        !            21: the vulnerabilities. Should you not be able to disable SMT/HT in your BIOS, you
        !            22: can put **smtoff=YES** in your */etc/rc.conf* file.
        !            23: 
        !            24: ###Enabling the mitigation
        !            25: 
        !            26: The two following sysctls are now available:
        !            27: 
        !            28: [[!template id=programlisting text="""
        !            29: machdep.taa.mitigated = {0/1} user-settable
        !            30: machdep.taa.method = {string} constructed by the kernel
        !            31: """]]
        !            32: 
        !            33: The TAA mitigation may be provided by the already-existing MDS mitigation.
        !            34: Before enabling the TAA mitigation, you should first enable the MDS mitigation
        !            35: [enable the MDS mitigation](https://wiki.netbsd.org/security/intel_mds/)
        !            36: if not already enabled.
        !            37: 
        !            38: Two cases must be considered, depending the content of "machdep.taa.method":
        !            39: 
        !            40:  * If this leaf is set to "[MDS]", then there is no TAA-specific mitigation to
        !            41:    use: the "machdep.taa.mitigated" leaf will be equal to "machdep.mds.mitigated",
        !            42:    and only the latter is to be used.
        !            43: 
        !            44:  * Otherwise, there is a TAA-specific mitigation needed. Two sub-cases must be
        !            45:    considered:
        !            46: 
        !            47:  * * If the BIOS provides an updated microcode containing this TAA-specific
        !            48:      mitigation, then NetBSD will have set "machdep.taa.mitigated=1" automatically
        !            49:      at boot time.
        !            50: 
        !            51:  * * If the BIOS does not provide this updated microcode, you may use NetBSD's
        !            52:      pkgsrc to fetch the latest microcode distribution from Intel via the
        !            53:      **sysutils/intel-microcode-netbsd** package. Once loaded, you can issue the
        !            54:      "sysctl -w machdep.taa.mitigated=1" command to enable the TAA-specific
        !            55:      mitigation.

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb