File:  [NetBSD Developer Wiki] / wikisrc / security / intel_taa.mdwn
Revision 1.2: download - view: text, annotated - select for diffs
Tue Nov 12 21:19:44 2019 UTC (6 months, 3 weeks ago) by maxv
Branches: MAIN
CVS tags: HEAD
formatting

    1: [[!meta title="Intel TAA"]]
    2: 
    3: ###Description
    4: Details and mitigation information about a sub-class of speculative execution
    5: side-channel vulnerabilities called TSX Asynchronous Abort (TAA).
    6: 
    7: The TAA vulnerability is a sub-set of the MDS vulnerability, already mitigated
    8: in NetBSD.
    9: 
   10: ##Status of the Fix
   11: 
   12: NetBSD-8 and above have received a fix. NetBSD-7, and all the anterior releases,
   13: have no planned fixes.
   14: 
   15: ###Mitigation
   16: 
   17: The mitigation for TAA depends on the Intel CPU model and available microcode
   18: or motherboard BIOS revision.
   19: 
   20: You may also want to disable SMT/HyperThreading to address certain aspects of
   21: the vulnerabilities. Should you not be able to disable SMT/HT in your BIOS, you
   22: can put **smtoff=YES** in your */etc/rc.conf* file.
   23: 
   24: ###Enabling the mitigation
   25: 
   26: The two following sysctls are now available:
   27: 
   28: [[!template id=programlisting text="""
   29: machdep.taa.mitigated = {0/1} user-settable
   30: machdep.taa.method = {string} constructed by the kernel
   31: """]]
   32: 
   33: The TAA mitigation may be provided by the already-existing MDS mitigation.
   34: Before enabling the TAA mitigation, you should first enable the MDS mitigation
   35: [enable the MDS mitigation](https://wiki.netbsd.org/security/intel_mds/)
   36: if not already enabled.
   37: 
   38: Two cases must be considered, depending the content of `machdep.taa.method`:
   39: 
   40:  * If this leaf is set to `[MDS]`, then there is no TAA-specific mitigation to
   41:    use: the `machdep.taa.mitigated` leaf will be equal to `machdep.mds.mitigated`,
   42:    and only the latter is to be used.
   43: 
   44:  * Otherwise, there is a TAA-specific mitigation needed. Two sub-cases must be
   45:    considered:
   46: 
   47:  ** If the BIOS provides an updated microcode containing this TAA-specific
   48:      mitigation, then NetBSD will have set `machdep.taa.mitigated=1` automatically
   49:      at boot time.
   50: 
   51:  ** If the BIOS does not provide this updated microcode, you may use NetBSD's
   52:      pkgsrc to fetch the latest microcode distribution from Intel via the
   53:      **sysutils/intel-microcode-netbsd** package. Once loaded, you can issue the
   54:      `sysctl -w machdep.taa.mitigated=1` command to enable the TAA-specific
   55:      mitigation.

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb