Return to intel_taa.mdwn CVS log

Up to [NetBSD Developer Wiki] / wikisrc / security

Annotation of wikisrc/security/intel_taa.mdwn, revision 1.6

1.1       maxv        1: [[!meta title="Intel TAA"]]
                      2: 
1.6     ! maxv        3: Release date: 2019-11-12
        !             4: 
1.1       maxv        5: ###Description
                      6: Details and mitigation information about a sub-class of speculative execution
                      7: side-channel vulnerabilities called TSX Asynchronous Abort (TAA).
                      8: 
1.6     ! maxv        9: Please refer to the Intel Security Advisory 00270 located at:
        !            10: [Intel website](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00270.html).
        !            11: 
1.1       maxv       12: The TAA vulnerability is a sub-set of the MDS vulnerability, already mitigated
                     13: in NetBSD.
                     14: 
                     15: ##Status of the Fix
                     16: 
                     17: NetBSD-8 and above have received a fix. NetBSD-7, and all the anterior releases,
                     18: have no planned fixes.
                     19: 
                     20: ###Mitigation
                     21: 
                     22: The mitigation for TAA depends on the Intel CPU model and available microcode
                     23: or motherboard BIOS revision.
                     24: 
                     25: You may also want to disable SMT/HyperThreading to address certain aspects of
                     26: the vulnerabilities. Should you not be able to disable SMT/HT in your BIOS, you
                     27: can put **smtoff=YES** in your */etc/rc.conf* file.
                     28: 
                     29: ###Enabling the mitigation
                     30: 
                     31: The two following sysctls are now available:
                     32: 
                     33: [[!template id=programlisting text="""
                     34: machdep.taa.mitigated = {0/1} user-settable
                     35: machdep.taa.method = {string} constructed by the kernel
                     36: """]]
                     37: 
                     38: The TAA mitigation may be provided by the already-existing MDS mitigation.
1.4       maxv       39: Before enabling the TAA mitigation, you should first
1.1       maxv       40: [enable the MDS mitigation](https://wiki.netbsd.org/security/intel_mds/)
1.5       maxv       41: if not already enabled. This may imply loading an updated microcode, if not
                     42: already provided by the BIOS.
1.1       maxv       43: 
1.4       maxv       44: Two cases must then be considered, depending the content of `machdep.taa.method`:
1.1       maxv       45: 
1.2       maxv       46:  * If this leaf is set to `[MDS]`, then there is no TAA-specific mitigation to
                     47:    use: the `machdep.taa.mitigated` leaf will be equal to `machdep.mds.mitigated`,
1.1       maxv       48:    and only the latter is to be used.
                     49: 
                     50:  * Otherwise, there is a TAA-specific mitigation needed. Two sub-cases must be
                     51:    considered:
                     52: 
1.3       maxv       53:    * If the BIOS provides an updated microcode containing this TAA-specific
1.2       maxv       54:      mitigation, then NetBSD will have set `machdep.taa.mitigated=1` automatically
1.1       maxv       55:      at boot time.
                     56: 
1.3       maxv       57:    * If the BIOS does not provide this updated microcode, you may use NetBSD's
1.1       maxv       58:      pkgsrc to fetch the latest microcode distribution from Intel via the
1.5       maxv       59:      **sysutils/intel-microcode-netbsd** package. With the new microcode loaded,
                     60:      you can issue the `sysctl -w machdep.taa.mitigated=1` command to enable the
                     61:      TAA-specific mitigation.