File:  [NetBSD Developer Wiki] / wikisrc / security / intel_taa.mdwn
Revision 1.6: download - view: text, annotated - select for diffs
Tue Nov 12 21:33:54 2019 UTC (10 months, 1 week ago) by maxv
Branches: MAIN
CVS tags: HEAD
details

    1: [[!meta title="Intel TAA"]]
    2: 
    3: Release date: 2019-11-12
    4: 
    5: ###Description
    6: Details and mitigation information about a sub-class of speculative execution
    7: side-channel vulnerabilities called TSX Asynchronous Abort (TAA).
    8: 
    9: Please refer to the Intel Security Advisory 00270 located at:
   10: [Intel website](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00270.html).
   11: 
   12: The TAA vulnerability is a sub-set of the MDS vulnerability, already mitigated
   13: in NetBSD.
   14: 
   15: ##Status of the Fix
   16: 
   17: NetBSD-8 and above have received a fix. NetBSD-7, and all the anterior releases,
   18: have no planned fixes.
   19: 
   20: ###Mitigation
   21: 
   22: The mitigation for TAA depends on the Intel CPU model and available microcode
   23: or motherboard BIOS revision.
   24: 
   25: You may also want to disable SMT/HyperThreading to address certain aspects of
   26: the vulnerabilities. Should you not be able to disable SMT/HT in your BIOS, you
   27: can put **smtoff=YES** in your */etc/rc.conf* file.
   28: 
   29: ###Enabling the mitigation
   30: 
   31: The two following sysctls are now available:
   32: 
   33: [[!template id=programlisting text="""
   34: machdep.taa.mitigated = {0/1} user-settable
   35: machdep.taa.method = {string} constructed by the kernel
   36: """]]
   37: 
   38: The TAA mitigation may be provided by the already-existing MDS mitigation.
   39: Before enabling the TAA mitigation, you should first
   40: [enable the MDS mitigation](https://wiki.netbsd.org/security/intel_mds/)
   41: if not already enabled. This may imply loading an updated microcode, if not
   42: already provided by the BIOS.
   43: 
   44: Two cases must then be considered, depending the content of `machdep.taa.method`:
   45: 
   46:  * If this leaf is set to `[MDS]`, then there is no TAA-specific mitigation to
   47:    use: the `machdep.taa.mitigated` leaf will be equal to `machdep.mds.mitigated`,
   48:    and only the latter is to be used.
   49: 
   50:  * Otherwise, there is a TAA-specific mitigation needed. Two sub-cases must be
   51:    considered:
   52: 
   53:    * If the BIOS provides an updated microcode containing this TAA-specific
   54:      mitigation, then NetBSD will have set `machdep.taa.mitigated=1` automatically
   55:      at boot time.
   56: 
   57:    * If the BIOS does not provide this updated microcode, you may use NetBSD's
   58:      pkgsrc to fetch the latest microcode distribution from Intel via the
   59:      **sysutils/intel-microcode-netbsd** package. With the new microcode loaded,
   60:      you can issue the `sysctl -w machdep.taa.mitigated=1` command to enable the
   61:      TAA-specific mitigation.

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb