Release date: 2019-11-12
Description
Details and mitigation information about a sub-class of speculative execution side-channel vulnerabilities called TSX Asynchronous Abort (TAA).
Please refer to the Intel Security Advisory 00270 located at: Intel website.
The TAA vulnerability is a sub-set of the MDS vulnerability, already mitigated in NetBSD.
Status of the Fix
NetBSD-8 and above have received a fix. NetBSD-7, and all the anterior releases, have no planned fixes.
Mitigation
The mitigation for TAA depends on the Intel CPU model and available microcode or motherboard BIOS revision.
You may also want to disable SMT/HyperThreading to address certain aspects of the vulnerabilities. Should you not be able to disable SMT/HT in your BIOS, you can put smtoff=YES in your /etc/rc.conf file.
Enabling the mitigation
The two following sysctls are now available:
machdep.taa.mitigated = {0/1} user-settable
machdep.taa.method = {string} constructed by the kernel
The TAA mitigation may be provided by the already-existing MDS mitigation. Before enabling the TAA mitigation, you should first enable the MDS mitigation if not already enabled. This may imply loading an updated microcode, if not already provided by the BIOS.
Two cases must then be considered, depending the content of machdep.taa.method:
If this leaf is set to
[MDS], then there is no TAA-specific mitigation to use: themachdep.taa.mitigatedleaf will be equal tomachdep.mds.mitigated, and only the latter is to be used.Otherwise, there is a TAA-specific mitigation needed. Two sub-cases must be considered:
If the BIOS provides an updated microcode containing this TAA-specific mitigation, then NetBSD will have set
machdep.taa.mitigated=1automatically at boot time.If the BIOS does not provide this updated microcode, you may use NetBSD's pkgsrc to fetch the latest microcode distribution from Intel via the sysutils/intel-microcode-netbsd package. With the new microcode loaded, you can issue the
sysctl -w machdep.taa.mitigated=1command to enable the TAA-specific mitigation.