File:  [NetBSD Developer Wiki] / wikisrc / security / intel_taa.mdwn
Revision 1.5: download - view: text, annotated - select for diffs
Tue Nov 12 21:28:31 2019 UTC (20 months, 2 weeks ago) by maxv
Branches: MAIN
CVS tags: HEAD
slightly clarify

[[!meta title="Intel TAA"]]

Details and mitigation information about a sub-class of speculative execution
side-channel vulnerabilities called TSX Asynchronous Abort (TAA).

The TAA vulnerability is a sub-set of the MDS vulnerability, already mitigated
in NetBSD.

##Status of the Fix

NetBSD-8 and above have received a fix. NetBSD-7, and all the anterior releases,
have no planned fixes.


The mitigation for TAA depends on the Intel CPU model and available microcode
or motherboard BIOS revision.

You may also want to disable SMT/HyperThreading to address certain aspects of
the vulnerabilities. Should you not be able to disable SMT/HT in your BIOS, you
can put **smtoff=YES** in your */etc/rc.conf* file.

###Enabling the mitigation

The two following sysctls are now available:

[[!template id=programlisting text="""
machdep.taa.mitigated = {0/1} user-settable
machdep.taa.method = {string} constructed by the kernel

The TAA mitigation may be provided by the already-existing MDS mitigation.
Before enabling the TAA mitigation, you should first
[enable the MDS mitigation](
if not already enabled. This may imply loading an updated microcode, if not
already provided by the BIOS.

Two cases must then be considered, depending the content of `machdep.taa.method`:

 * If this leaf is set to `[MDS]`, then there is no TAA-specific mitigation to
   use: the `machdep.taa.mitigated` leaf will be equal to `machdep.mds.mitigated`,
   and only the latter is to be used.

 * Otherwise, there is a TAA-specific mitigation needed. Two sub-cases must be

   * If the BIOS provides an updated microcode containing this TAA-specific
     mitigation, then NetBSD will have set `machdep.taa.mitigated=1` automatically
     at boot time.

   * If the BIOS does not provide this updated microcode, you may use NetBSD's
     pkgsrc to fetch the latest microcode distribution from Intel via the
     **sysutils/intel-microcode-netbsd** package. With the new microcode loaded,
     you can issue the `sysctl -w machdep.taa.mitigated=1` command to enable the
     TAA-specific mitigation.

CVSweb for NetBSD wikisrc <> software: FreeBSD-CVSweb