Annotation of wikisrc/security/intel_taa.mdwn, revision 1.2

1.1       maxv        1: [[!meta title="Intel TAA"]]
                      2: 
                      3: ###Description
                      4: Details and mitigation information about a sub-class of speculative execution
                      5: side-channel vulnerabilities called TSX Asynchronous Abort (TAA).
                      6: 
                      7: The TAA vulnerability is a sub-set of the MDS vulnerability, already mitigated
                      8: in NetBSD.
                      9: 
                     10: ##Status of the Fix
                     11: 
                     12: NetBSD-8 and above have received a fix. NetBSD-7, and all the anterior releases,
                     13: have no planned fixes.
                     14: 
                     15: ###Mitigation
                     16: 
                     17: The mitigation for TAA depends on the Intel CPU model and available microcode
                     18: or motherboard BIOS revision.
                     19: 
                     20: You may also want to disable SMT/HyperThreading to address certain aspects of
                     21: the vulnerabilities. Should you not be able to disable SMT/HT in your BIOS, you
                     22: can put **smtoff=YES** in your */etc/rc.conf* file.
                     23: 
                     24: ###Enabling the mitigation
                     25: 
                     26: The two following sysctls are now available:
                     27: 
                     28: [[!template id=programlisting text="""
                     29: machdep.taa.mitigated = {0/1} user-settable
                     30: machdep.taa.method = {string} constructed by the kernel
                     31: """]]
                     32: 
                     33: The TAA mitigation may be provided by the already-existing MDS mitigation.
                     34: Before enabling the TAA mitigation, you should first enable the MDS mitigation
                     35: [enable the MDS mitigation](https://wiki.netbsd.org/security/intel_mds/)
                     36: if not already enabled.
                     37: 
1.2     ! maxv       38: Two cases must be considered, depending the content of `machdep.taa.method`:
1.1       maxv       39: 
1.2     ! maxv       40:  * If this leaf is set to `[MDS]`, then there is no TAA-specific mitigation to
        !            41:    use: the `machdep.taa.mitigated` leaf will be equal to `machdep.mds.mitigated`,
1.1       maxv       42:    and only the latter is to be used.
                     43: 
                     44:  * Otherwise, there is a TAA-specific mitigation needed. Two sub-cases must be
                     45:    considered:
                     46: 
1.2     ! maxv       47:  ** If the BIOS provides an updated microcode containing this TAA-specific
        !            48:      mitigation, then NetBSD will have set `machdep.taa.mitigated=1` automatically
1.1       maxv       49:      at boot time.
                     50: 
1.2     ! maxv       51:  ** If the BIOS does not provide this updated microcode, you may use NetBSD's
1.1       maxv       52:      pkgsrc to fetch the latest microcode distribution from Intel via the
                     53:      **sysutils/intel-microcode-netbsd** package. Once loaded, you can issue the
1.2     ! maxv       54:      `sysctl -w machdep.taa.mitigated=1` command to enable the TAA-specific
1.1       maxv       55:      mitigation.

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb