File:  [NetBSD Developer Wiki] / wikisrc / security / intel_taa.mdwn
Revision 1.4: download - view: text, annotated - select for diffs
Tue Nov 12 21:25:11 2019 UTC (2 years, 2 months ago) by maxv
Branches: MAIN
CVS tags: HEAD

    1: [[!meta title="Intel TAA"]]
    3: ###Description
    4: Details and mitigation information about a sub-class of speculative execution
    5: side-channel vulnerabilities called TSX Asynchronous Abort (TAA).
    7: The TAA vulnerability is a sub-set of the MDS vulnerability, already mitigated
    8: in NetBSD.
   10: ##Status of the Fix
   12: NetBSD-8 and above have received a fix. NetBSD-7, and all the anterior releases,
   13: have no planned fixes.
   15: ###Mitigation
   17: The mitigation for TAA depends on the Intel CPU model and available microcode
   18: or motherboard BIOS revision.
   20: You may also want to disable SMT/HyperThreading to address certain aspects of
   21: the vulnerabilities. Should you not be able to disable SMT/HT in your BIOS, you
   22: can put **smtoff=YES** in your */etc/rc.conf* file.
   24: ###Enabling the mitigation
   26: The two following sysctls are now available:
   28: [[!template id=programlisting text="""
   29: machdep.taa.mitigated = {0/1} user-settable
   30: machdep.taa.method = {string} constructed by the kernel
   31: """]]
   33: The TAA mitigation may be provided by the already-existing MDS mitigation.
   34: Before enabling the TAA mitigation, you should first
   35: [enable the MDS mitigation](
   36: if not already enabled.
   38: Two cases must then be considered, depending the content of `machdep.taa.method`:
   40:  * If this leaf is set to `[MDS]`, then there is no TAA-specific mitigation to
   41:    use: the `machdep.taa.mitigated` leaf will be equal to `machdep.mds.mitigated`,
   42:    and only the latter is to be used.
   44:  * Otherwise, there is a TAA-specific mitigation needed. Two sub-cases must be
   45:    considered:
   47:    * If the BIOS provides an updated microcode containing this TAA-specific
   48:      mitigation, then NetBSD will have set `machdep.taa.mitigated=1` automatically
   49:      at boot time.
   51:    * If the BIOS does not provide this updated microcode, you may use NetBSD's
   52:      pkgsrc to fetch the latest microcode distribution from Intel via the
   53:      **sysutils/intel-microcode-netbsd** package. Once loaded, you can issue the
   54:      `sysctl -w machdep.taa.mitigated=1` command to enable the TAA-specific
   55:      mitigation.

CVSweb for NetBSD wikisrc <> software: FreeBSD-CVSweb