CPU Vulnerabilities, Meltdown and Spectre, Kernel Page Table Isolation Patches, and more

Discussion in 'Hardware Components and Aftermarket Upgrades' started by hmscott, Jan 2, 2018.

  1. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    7,079
    Messages:
    20,412
    Likes Received:
    25,193
    Trophy Points:
    931
    That seems to be the consensus of recommendations, on top of updating to the latest patches and firmware for MDS vulnerabilities, not only for Windows, but all OS's on top of Intel CPU's:

    CVE-2019-11135 - Transactional Synchronization Extensions (TSX) Asynchronous Abort
    Updated Yesterday at 6:34 AM
    https://access.redhat.com/articles/tsx-asynchronousabort

    "...One way of mitigating TAA issue is to disable TSX feature of the CPU, so that TSX Asynchronous Abort (TAA) would not occur, and in turn the said information leakage via speculative side channel would not occur.

    The kernel update introduces a new kernel boot parameter ‘tsx=on/off/auto’ to enable OR disable CPU’s Transactional Synchronization Extensions (TSX) feature. It requires microcode updates to be installed.

    tsx=on Enable the TSX feature <= **RHEL Default**
    tsx=off Disable the TSX feature
    tsx=auto Disable TSX if CPU is affected, else enable TSX"

    Intel says the same thing many times within a number of documents, but couches it within many layers of situational caveats:

    Intel® Transactional Synchronization Extensions (Intel® TSX) Asynchronous Abort / CVE-2019-11135 / INTEL-SA-00270
    https://software.intel.com/security...ation-extensions-intel-tsx-asynchronous-abort

    "On CPUs that do not require software MDS mitigations (IA32_ARCH_CAPABILITIES [MDS_NO]=1), TAA can be mitigated by either applying the MDS software mitigations or by selectively disabling Intel TSX for the workload using the IA32_TSX_CTRL MSR. Refer to Deep Dive: Intel® Transactional Synchronization Extensions (Intel® TSX) Asynchronous Abort for more details.
    ...
    To help prevent possibly malicious guest VMs from using Intel TSX when it is not enumerated to them, VMMs should set IA32_TSX_CTRL[RTM_DISABLE] (bit 0) to disable Intel TSX on processors affected by TAA that are running untrusted guest VMs.

    VMMs should ensure they apply the mitigations described in theMDS disclosure to guest VMs for which Intel TSX is enabled (IA32_TSX_CTRL[RTM_DISABLE] (bit 0)=0). Specifically, the VMM should ensure that sensitive data is not in the affected buffers before entering possibly malicious Intel TSX-enabled guests (for example, by executing VERW). The VMM should also ensure that possible victim VMs are not running on the sibling logical processor as untrusted guests."

    Start here to find new vulnerabilities at Intel, and follow potential links - you'll arrive at the crucial info several times within a number of documents if you follow the rabbit hole ad infinitum in call-backs as well as external references:

    Software Guidance for Security Advisories
    https://software.intel.com/security-software-guidance/software-guidance

    Even deeper diving:

    Deep Dive: Intel® Transactional Synchronization Extensions (Intel® TSX) Asynchronous Abort
    https://software.intel.com/security...ation-extensions-intel-tsx-asynchronous-abort

    Lots there to digest, start by searching for every instance of "disa" - not only TSX but also RTM and others.

    Intel isn't "there yet" with TSX like they are with recommending disabling "hyperthreading" everywhere as the more general rule for being secure without having to delve deeply into the situational limitations - requiring you to dig out the details and decide whether to leave it enabled or disable Hyperthreading / TSX.

    And, note there are microcode updates required for the disable in the OS to be effective. Same goes for legacy software that may use the CPUID to determine functionality, look for changing CPUID.
     
    Last edited: Nov 21, 2019
  2. joluke

    joluke Notebook Deity

    Reputations:
    630
    Messages:
    1,349
    Likes Received:
    763
    Trophy Points:
    131
    Thanks a lot @hmscott
     
    Vasudev and hmscott like this.
  3. Vasudev

    Vasudev Notebook Nobel Laureate

    Reputations:
    8,122
    Messages:
    10,604
    Likes Received:
    7,868
    Trophy Points:
    931
    Yes. If you rely on TSX and huge dB say SQL/PSQL then you might see reduced performance.
     
    hmscott likes this.
  4. joluke

    joluke Notebook Deity

    Reputations:
    630
    Messages:
    1,349
    Likes Received:
    763
    Trophy Points:
    131
    I don't rely on it at all but it was activated in registry for some reason. That's why I wanted to know if it was advisable to disable it
     
    hmscott and Vasudev like this.
  5. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    7,079
    Messages:
    20,412
    Likes Received:
    25,193
    Trophy Points:
    931
    "Server Guy" gives a good review of Intel's vulnerabilities and how it has affected his and others work.

    Intel Security in 2019 | Server Engineer Interview | Broken Silicon 25
    Dec 11, 2019
    Moore's Law Is Dead
    Another interview with an anonymous Server Engineer. We discuss Intel’s (lack of) security, the future of server tech, and more! [NOTE: This was an anonymous phone call, some audio issues]
    1) 4:42 How important is the cost to run a server vs Start-up costs?
    2) 11:00 Software Maturity and the beginnings of Intel’s Security Problems
    3) 12:58 Spectre and Foreshadow
    4) 21:03 NetCat broke the camel’s back…
    5) 39:29 Does Optane or the “Intel Package” matter?
    6) 41:57 AMD’s past failures, and their future success…
    7) 49:20 Are Intel’s Security problems over?
    8) 59:55 AMD vs Intel Branch Prediction & Threads
    9) 1:07:20 How should we approach Hardware Security?
    10) 1:11:55 Is Intel better positioned for the future?
    11) 1:20:50 Do Intel’s Professional GPU’s sound interesting?
    12) 1:26:05 2700X and 9900K as server chips…
    13) 1:39:00 Remember how great Broadwell was…
    14) 1:48:00 Best Wishes for UFD Tech
     
    Vasudev and jc_denton like this.
  6. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    7,079
    Messages:
    20,412
    Likes Received:
    25,193
    Trophy Points:
    931
    joluke, Vasudev and 0lok like this.
  7. Papusan

    Papusan JOKEBOOKs Sucks! Dont waste your $$$ on FILTHY

    Reputations:
    28,257
    Messages:
    25,436
    Likes Received:
    45,638
    Trophy Points:
    931
  8. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    7,079
    Messages:
    20,412
    Likes Received:
    25,193
    Trophy Points:
    931
    "CacheOut is another in the line of side-channel exploits that have targeted Intel processors, taking advantage of flaws in Intel’s architecture to attack data as it moves though various data buffers. (Those came to light as part of the Spectre and Meltdown vulnerabilities.)

    The CacheOut authors suggest that while older speculative execution attacks have resulted in data dumps, the new vulnerability could be used to generate more targeted attacks—that when combined with data-cleaning techniques, specific data could be more easily obtained than before. The CacheOut vulnerability cannot be stopped with Intel’s Spectre/Meltdown mitigations. "

    "Intel said that it plans to release mitigations to address the issue in the near future. These normally are sent to users in the form of BIOS or driver updates.
    ...
    While van Schaik and the other researchers suggested that CacheOut could be mitigated by disabling hyperthreading or disabling TSX within Intel’s processors, the authors also noted that Intel will release mitigations to address the problem."

    Intel is slowing down on the uptake of new vulnerabilities, letting this one hit public view before having a mitigation ready to install.
     
    Last edited: Jan 28, 2020
    Vasudev and Papusan like this.
  9. Papusan

    Papusan JOKEBOOKs Sucks! Dont waste your $$$ on FILTHY

    Reputations:
    28,257
    Messages:
    25,436
    Likes Received:
    45,638
    Trophy Points:
    931
    hmscott, Robbo99999, joluke and 2 others like this.
  10. Robbo99999

    Robbo99999 Notebook Prophet

    Reputations:
    4,126
    Messages:
    6,652
    Likes Received:
    5,799
    Trophy Points:
    681
    Thanks for this. Hmm, it says that there is microcode version CC for my 6700K, but I'm on version C6 implemented through my motherboard BIOS...yeah so I'm not on the latest one. How come Microsoft didn't automatically update my machine to microcode CC? Are only certain users upgraded to CC...maybe the fixes in CC are low risk fixes and they decided not to implement it on consumer devices??
     
    Papusan likes this.

Share This Page