Annotation of wikisrc/security/intel_taa.mdwn, revision 1.5

1.1       maxv        1: [[!meta title="Intel TAA"]]
                      2: 
                      3: ###Description
                      4: Details and mitigation information about a sub-class of speculative execution
                      5: side-channel vulnerabilities called TSX Asynchronous Abort (TAA).
                      6: 
                      7: The TAA vulnerability is a sub-set of the MDS vulnerability, already mitigated
                      8: in NetBSD.
                      9: 
                     10: ##Status of the Fix
                     11: 
                     12: NetBSD-8 and above have received a fix. NetBSD-7, and all the anterior releases,
                     13: have no planned fixes.
                     14: 
                     15: ###Mitigation
                     16: 
                     17: The mitigation for TAA depends on the Intel CPU model and available microcode
                     18: or motherboard BIOS revision.
                     19: 
                     20: You may also want to disable SMT/HyperThreading to address certain aspects of
                     21: the vulnerabilities. Should you not be able to disable SMT/HT in your BIOS, you
                     22: can put **smtoff=YES** in your */etc/rc.conf* file.
                     23: 
                     24: ###Enabling the mitigation
                     25: 
                     26: The two following sysctls are now available:
                     27: 
                     28: [[!template id=programlisting text="""
                     29: machdep.taa.mitigated = {0/1} user-settable
                     30: machdep.taa.method = {string} constructed by the kernel
                     31: """]]
                     32: 
                     33: The TAA mitigation may be provided by the already-existing MDS mitigation.
1.4       maxv       34: Before enabling the TAA mitigation, you should first
1.1       maxv       35: [enable the MDS mitigation](https://wiki.netbsd.org/security/intel_mds/)
1.5     ! maxv       36: if not already enabled. This may imply loading an updated microcode, if not
        !            37: already provided by the BIOS.
1.1       maxv       38: 
1.4       maxv       39: Two cases must then be considered, depending the content of `machdep.taa.method`:
1.1       maxv       40: 
1.2       maxv       41:  * If this leaf is set to `[MDS]`, then there is no TAA-specific mitigation to
                     42:    use: the `machdep.taa.mitigated` leaf will be equal to `machdep.mds.mitigated`,
1.1       maxv       43:    and only the latter is to be used.
                     44: 
                     45:  * Otherwise, there is a TAA-specific mitigation needed. Two sub-cases must be
                     46:    considered:
                     47: 
1.3       maxv       48:    * If the BIOS provides an updated microcode containing this TAA-specific
1.2       maxv       49:      mitigation, then NetBSD will have set `machdep.taa.mitigated=1` automatically
1.1       maxv       50:      at boot time.
                     51: 
1.3       maxv       52:    * If the BIOS does not provide this updated microcode, you may use NetBSD's
1.1       maxv       53:      pkgsrc to fetch the latest microcode distribution from Intel via the
1.5     ! maxv       54:      **sysutils/intel-microcode-netbsd** package. With the new microcode loaded,
        !            55:      you can issue the `sysctl -w machdep.taa.mitigated=1` command to enable the
        !            56:      TAA-specific mitigation.

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb