Annotation of wikisrc/security/intel_taa.mdwn, revision 1.6
1.1 maxv 1: [[!meta title="Intel TAA"]]
2:
1.6 ! maxv 3: Release date: 2019-11-12
! 4:
1.1 maxv 5: ###Description
6: Details and mitigation information about a sub-class of speculative execution
7: side-channel vulnerabilities called TSX Asynchronous Abort (TAA).
8:
1.6 ! maxv 9: Please refer to the Intel Security Advisory 00270 located at:
! 10: [Intel website](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00270.html).
! 11:
1.1 maxv 12: The TAA vulnerability is a sub-set of the MDS vulnerability, already mitigated
13: in NetBSD.
14:
15: ##Status of the Fix
16:
17: NetBSD-8 and above have received a fix. NetBSD-7, and all the anterior releases,
18: have no planned fixes.
19:
20: ###Mitigation
21:
22: The mitigation for TAA depends on the Intel CPU model and available microcode
23: or motherboard BIOS revision.
24:
25: You may also want to disable SMT/HyperThreading to address certain aspects of
26: the vulnerabilities. Should you not be able to disable SMT/HT in your BIOS, you
27: can put **smtoff=YES** in your */etc/rc.conf* file.
28:
29: ###Enabling the mitigation
30:
31: The two following sysctls are now available:
32:
33: [[!template id=programlisting text="""
34: machdep.taa.mitigated = {0/1} user-settable
35: machdep.taa.method = {string} constructed by the kernel
36: """]]
37:
38: The TAA mitigation may be provided by the already-existing MDS mitigation.
1.4 maxv 39: Before enabling the TAA mitigation, you should first
1.1 maxv 40: [enable the MDS mitigation](https://wiki.netbsd.org/security/intel_mds/)
1.5 maxv 41: if not already enabled. This may imply loading an updated microcode, if not
42: already provided by the BIOS.
1.1 maxv 43:
1.4 maxv 44: Two cases must then be considered, depending the content of `machdep.taa.method`:
1.1 maxv 45:
1.2 maxv 46: * If this leaf is set to `[MDS]`, then there is no TAA-specific mitigation to
47: use: the `machdep.taa.mitigated` leaf will be equal to `machdep.mds.mitigated`,
1.1 maxv 48: and only the latter is to be used.
49:
50: * Otherwise, there is a TAA-specific mitigation needed. Two sub-cases must be
51: considered:
52:
1.3 maxv 53: * If the BIOS provides an updated microcode containing this TAA-specific
1.2 maxv 54: mitigation, then NetBSD will have set `machdep.taa.mitigated=1` automatically
1.1 maxv 55: at boot time.
56:
1.3 maxv 57: * If the BIOS does not provide this updated microcode, you may use NetBSD's
1.1 maxv 58: pkgsrc to fetch the latest microcode distribution from Intel via the
1.5 maxv 59: **sysutils/intel-microcode-netbsd** package. With the new microcode loaded,
60: you can issue the `sysctl -w machdep.taa.mitigated=1` command to enable the
61: TAA-specific mitigation.
CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb