CPU Vulnerabilities, Meltdown and Spectre, Kernel Page Table Isolation Patches, and more

Discussion in 'Hardware Components and Aftermarket Upgrades' started by hmscott, Jan 2, 2018.

  1. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    6,897
    Messages:
    20,275
    Likes Received:
    25,092
    Trophy Points:
    931
    That seems to be the consensus of recommendations, on top of updating to the latest patches and firmware for MDS vulnerabilities, not only for Windows, but all OS's on top of Intel CPU's:

    CVE-2019-11135 - Transactional Synchronization Extensions (TSX) Asynchronous Abort
    Updated Yesterday at 6:34 AM
    https://access.redhat.com/articles/tsx-asynchronousabort

    "...One way of mitigating TAA issue is to disable TSX feature of the CPU, so that TSX Asynchronous Abort (TAA) would not occur, and in turn the said information leakage via speculative side channel would not occur.

    The kernel update introduces a new kernel boot parameter ‘tsx=on/off/auto’ to enable OR disable CPU’s Transactional Synchronization Extensions (TSX) feature. It requires microcode updates to be installed.

    tsx=on Enable the TSX feature <= **RHEL Default**
    tsx=off Disable the TSX feature
    tsx=auto Disable TSX if CPU is affected, else enable TSX"

    Intel says the same thing many times within a number of documents, but couches it within many layers of situational caveats:

    Intel® Transactional Synchronization Extensions (Intel® TSX) Asynchronous Abort / CVE-2019-11135 / INTEL-SA-00270
    https://software.intel.com/security...ation-extensions-intel-tsx-asynchronous-abort

    "On CPUs that do not require software MDS mitigations (IA32_ARCH_CAPABILITIES [MDS_NO]=1), TAA can be mitigated by either applying the MDS software mitigations or by selectively disabling Intel TSX for the workload using the IA32_TSX_CTRL MSR. Refer to Deep Dive: Intel® Transactional Synchronization Extensions (Intel® TSX) Asynchronous Abort for more details.
    ...
    To help prevent possibly malicious guest VMs from using Intel TSX when it is not enumerated to them, VMMs should set IA32_TSX_CTRL[RTM_DISABLE] (bit 0) to disable Intel TSX on processors affected by TAA that are running untrusted guest VMs.

    VMMs should ensure they apply the mitigations described in theMDS disclosure to guest VMs for which Intel TSX is enabled (IA32_TSX_CTRL[RTM_DISABLE] (bit 0)=0). Specifically, the VMM should ensure that sensitive data is not in the affected buffers before entering possibly malicious Intel TSX-enabled guests (for example, by executing VERW). The VMM should also ensure that possible victim VMs are not running on the sibling logical processor as untrusted guests."

    Start here to find new vulnerabilities at Intel, and follow potential links - you'll arrive at the crucial info several times within a number of documents if you follow the rabbit hole ad infinitum in call-backs as well as external references:

    Software Guidance for Security Advisories
    https://software.intel.com/security-software-guidance/software-guidance

    Even deeper diving:

    Deep Dive: Intel® Transactional Synchronization Extensions (Intel® TSX) Asynchronous Abort
    https://software.intel.com/security...ation-extensions-intel-tsx-asynchronous-abort

    Lots there to digest, start by searching for every instance of "disa" - not only TSX but also RTM and others.

    Intel isn't "there yet" with TSX like they are with recommending disabling "hyperthreading" everywhere as the more general rule for being secure without having to delve deeply into the situational limitations - requiring you to dig out the details and decide whether to leave it enabled or disable Hyperthreading / TSX.

    And, note there are microcode updates required for the disable in the OS to be effective. Same goes for legacy software that may use the CPUID to determine functionality, look for changing CPUID.
     
    Last edited: Nov 21, 2019
  2. joluke

    joluke Notebook Deity

    Reputations:
    481
    Messages:
    1,255
    Likes Received:
    658
    Trophy Points:
    131
    Thanks a lot @hmscott
     
    Vasudev and hmscott like this.
  3. Vasudev

    Vasudev Notebook Nobel Laureate

    Reputations:
    7,486
    Messages:
    10,453
    Likes Received:
    7,734
    Trophy Points:
    931
    Yes. If you rely on TSX and huge dB say SQL/PSQL then you might see reduced performance.
     
    hmscott likes this.
  4. joluke

    joluke Notebook Deity

    Reputations:
    481
    Messages:
    1,255
    Likes Received:
    658
    Trophy Points:
    131
    I don't rely on it at all but it was activated in registry for some reason. That's why I wanted to know if it was advisable to disable it
     
    hmscott and Vasudev like this.
  5. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    6,897
    Messages:
    20,275
    Likes Received:
    25,092
    Trophy Points:
    931
    "Server Guy" gives a good review of Intel's vulnerabilities and how it has affected his and others work.

    Intel Security in 2019 | Server Engineer Interview | Broken Silicon 25
    Dec 11, 2019
    Moore's Law Is Dead
    Another interview with an anonymous Server Engineer. We discuss Intel’s (lack of) security, the future of server tech, and more! [NOTE: This was an anonymous phone call, some audio issues]
    1) 4:42 How important is the cost to run a server vs Start-up costs?
    2) 11:00 Software Maturity and the beginnings of Intel’s Security Problems
    3) 12:58 Spectre and Foreshadow
    4) 21:03 NetCat broke the camel’s back…
    5) 39:29 Does Optane or the “Intel Package” matter?
    6) 41:57 AMD’s past failures, and their future success…
    7) 49:20 Are Intel’s Security problems over?
    8) 59:55 AMD vs Intel Branch Prediction & Threads
    9) 1:07:20 How should we approach Hardware Security?
    10) 1:11:55 Is Intel better positioned for the future?
    11) 1:20:50 Do Intel’s Professional GPU’s sound interesting?
    12) 1:26:05 2700X and 9900K as server chips…
    13) 1:39:00 Remember how great Broadwell was…
    14) 1:48:00 Best Wishes for UFD Tech
     
    Vasudev and jc_denton like this.
  6. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    6,897
    Messages:
    20,275
    Likes Received:
    25,092
    Trophy Points:
    931
    Vasudev and 0lok like this.

Share This Page