File:  [NetBSD Developer Wiki] / wikisrc / security / intel_taa.mdwn
Revision 1.6: download - view: text, annotated - select for diffs
Tue Nov 12 21:33:54 2019 UTC (6 months, 2 weeks ago) by maxv
Branches: MAIN
CVS tags: HEAD
details

[[!meta title="Intel TAA"]]

Release date: 2019-11-12

###Description
Details and mitigation information about a sub-class of speculative execution
side-channel vulnerabilities called TSX Asynchronous Abort (TAA).

Please refer to the Intel Security Advisory 00270 located at:
[Intel website](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00270.html).

The TAA vulnerability is a sub-set of the MDS vulnerability, already mitigated
in NetBSD.

##Status of the Fix

NetBSD-8 and above have received a fix. NetBSD-7, and all the anterior releases,
have no planned fixes.

###Mitigation

The mitigation for TAA depends on the Intel CPU model and available microcode
or motherboard BIOS revision.

You may also want to disable SMT/HyperThreading to address certain aspects of
the vulnerabilities. Should you not be able to disable SMT/HT in your BIOS, you
can put **smtoff=YES** in your */etc/rc.conf* file.

###Enabling the mitigation

The two following sysctls are now available:

[[!template id=programlisting text="""
machdep.taa.mitigated = {0/1} user-settable
machdep.taa.method = {string} constructed by the kernel
"""]]

The TAA mitigation may be provided by the already-existing MDS mitigation.
Before enabling the TAA mitigation, you should first
[enable the MDS mitigation](https://wiki.netbsd.org/security/intel_mds/)
if not already enabled. This may imply loading an updated microcode, if not
already provided by the BIOS.

Two cases must then be considered, depending the content of `machdep.taa.method`:

 * If this leaf is set to `[MDS]`, then there is no TAA-specific mitigation to
   use: the `machdep.taa.mitigated` leaf will be equal to `machdep.mds.mitigated`,
   and only the latter is to be used.

 * Otherwise, there is a TAA-specific mitigation needed. Two sub-cases must be
   considered:

   * If the BIOS provides an updated microcode containing this TAA-specific
     mitigation, then NetBSD will have set `machdep.taa.mitigated=1` automatically
     at boot time.

   * If the BIOS does not provide this updated microcode, you may use NetBSD's
     pkgsrc to fetch the latest microcode distribution from Intel via the
     **sysutils/intel-microcode-netbsd** package. With the new microcode loaded,
     you can issue the `sysctl -w machdep.taa.mitigated=1` command to enable the
     TAA-specific mitigation.

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb