The TSX Asynchronous Abort (TAA) vulnerability is similar to Microarchitectural Data Sampling (MDS) and affects the same buffers (store buffer, fill buffer, load port writeback data bus). The TAA condition, on some microprocessors utilizing speculative execution, may allow an authenticated user to potentially enable information disclosure via a side channel with local access. TAA has a separate CVE than MDS: CVE-2019-11135 (6.5 Medium CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N), because it uses a new mechanism for the exploit. As with MDS, TAA may expose data from either the current logical processor or from the sibling logical processor on processors with simultaneous multithreading (SMT).
Intel® Transactional Synchronization Extensions (Intel® TSX) are an extension to the x86 instruction set architecture that adds hardware transactional memory support to improve performance of multi-threaded software. Intel® TSX has two subfunctionalities: Restricted Transactional Memory (RTM) and Hardware Lock Elision (HLE). For more details on Intel TSX please see http://www.intel.com/software/tsx.
Intel TSX supports atomic memory transactions that are either committed or aborted. Upon an Intel TSX abort, all earlier memory writes inside the transaction are rolled back to the state before the transaction start. An Intel TSX transaction can be synchronously aborted, for example due to instruction not supported in transactions. Intel TSX transactions can also be asynchronously aborted, such as when a different logical processor writes to a cache line that is part of the transaction’s read set, or when the transaction exceeds its memory buffering space, or due to other microarchitectural reasons.
While an Intel TSX asynchronous abort (TAA) is pending, certain loads inside the transaction that are not yet completed may read data from microarchitectural structures and speculatively pass that data to dependent operations. This may cause microarchitectural side effects, which can later be measured to infer the value of the data in the microarchitectural structures.
This TAA issue affects all current processors that support Intel TSX unless IA32_ARCH_CAPABILITIES.TAA_NO (bit 8)=1
. On CPUs affected by MDS, where IA32_ARCH_CAPABILITIES.MDS_NO (bit 5)=0
, the existing MDS mitigations will also mitigate against TAA.
On CPUs that are not affected by MDS (where IA32_ARCH_CAPABILITIES.MDS_NO (bit 5)=1)
, and when the software is not using MDS mitigations, additional mitigation for TAA may be needed.
For more information on MDS, refer to Deep Dive: Microarchitectural Data Sampling.
Malicious application software executed by an authenticated user may be able to infer the values of data accessed on the same physical core by:
The CVE assigned to TAA is CVE-2019-11135 (6.5 Medium CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).
A processor is affected by TAA if and only if both of the following conditions are true:
TAA_NO
2Refer to the CPUs That Require Additional Mitigations section for a list of processors affected by TAA.
On CPUs affected by MDS (IA32_ARCH_CAPABILITIES[MDS_NO]=0)
, the mitigations for MDS will also help prevent TAA. Refer to the Deep Dive: Microarchitectural Data Sampling for more details.
On CPUs that do not require software MDS mitigations (IA32_ARCH_CAPABILITIES [MDS_NO]=1
) there are two possible mitigation approaches for TAA:
VERW
before kernel exits and VM entries and mitigate cross hyperthread attacks. This will help ensure that no data from other contexts can be leaked. Refer to the MDS Deep Dive for more information on MDS mitigations. For VERW
to clear affected buffers, a microcode update that adds support for the IA32_TSX_CTRL
Model Specific Register (MSR) (IA32_ARCH_CAPABILITIES[TSX_CTRL] (bit 7)=1
) may need to be loaded. Because VMMs may not expose this MSR to a guest, software using this approach should execute VERW
even when IA32_TSX_CTRL
support is not enumerated.Alternatively, it is possible to disable Intel TSX for the workload using the IA32_TSX_CTRL
MSR (refer to the Enumeration and new MSRs section). Some processors may need to load a microcode update to add support for IA32_TSX_CTRL
. The MSR supports disabling the RTM functionality of Intel TSX by setting TSX_CTRL_RTM_DISABLE (bit 0). When this bit is set, all RTM transactions will abort with abort code 0 before any instructions can execute within the transaction, even speculatively. On processors that enumerate IA32_ARCH_CAPABILITIES[TSX_CTRL] (bit 7)=1
, HLE prefix hints are always ignored.
For most usages when RTM is disabled, the respective RTM CPUID (CPUID.07h.EBX.RTM [bit 11]) should also be disabled by setting the TSX_CTRL_CPUID_CLEAR (bit 1)
bit in IA32_TSX_CTRL
. This will indicate to software using Intel TSX to use a fallback path immediately without trying to attempt a transaction.
If it’s not possible to change the CPUID, the IA32_TSX_CTRL[TSX_CPUID_CLEAR] (bit 1)
bit can be cleared to preserve the HLE and RTM CPUID bits. In this case, software using Intel TSX will attempt RTM transactions, but it will always abort until it takes a fall back path.
Using IA32_TSX_CTRL
may require a new microcode update to be loaded. Support for IA32_TSX_CTRL
is enumerated by CPUID.ARCH_CAP(EAX=7h,ECX=0):EDX[29] = 1 and IA32_ARCH_CAPABILITIES[TSX_CTRL] (bit 7) = 1
On processors that do enumerate MD_CLEAR
but don’t enumerate MDS_NO
, both L1D_FLUSH
and VERW
overwrite the TAA-affected buffers.
On processors that enumerate both MDS_NO
and TSX_CTRL
, both L1D_FLUSH
and VERW
overwrite the TAA-affected buffers.
To ensure that guests are properly mitigated, VMMs should load a microcode update that causes IA32_ARCH_CAPABILITIES[TSX_CTRL] (bit 7)
to be set on processors that need additional mitigations for TAA.
To help prevent possibly malicious guest VMs from using Intel TSX when it is not enumerated to them, VMMs should set IA32_TSX_CTRL[RTM_DISABLE] (bit 0)
to disable Intel TSX on processors affected by TAA that are running untrusted guest VMs.
VMMs should ensure they apply the mitigations described in the MDS disclosure to guest VMs for which Intel TSX is enabled (IA32_TSX_CTRL[RTM_DISABLE] (bit 0)=0
). Specifically, the VMM should ensure that sensitive data is not in the affected buffers before entering possibly malicious Intel TSX-enabled guests (for example, by executing VERW
). The VMM should also ensure that possible victim VMs are not running on the sibling logical processor as untrusted guests.
When Intel TSX is disabled at runtime using TSX_CTRL
, but the CPUID enumeration of Intel TSX is not cleared, existing software using RTM may see aborts for every transaction. The abort will always return a 0 status code in EAX
after XBEGIN
. When the software does a number of transaction retries, it should never retry for a 0 status value, but go to the nontransactional fall back path immediately.
Intel® Software Guard Extensions (Intel® SGX) enclaves are potentially impacted on CPUs that are not affected by MDS (IA32_ARCH_CAPABILITIES[MDS_NO]=1
) but that are affected by TAA (IA32_ARCH_CAPABILITIES[TAA_NO]=0
). As the Intel® SGX security model does not trust the system software, Intel SGX cannot rely on the system software to disable Intel TSX or to clear the microarchitectural data buffers. Mitigating TAA for Intel SGX is achieved through a microcode update.
When the required microcode update is applied:
IA32_ARCH_CAPABILITIES[TSX_CTRL] (bit 7)
enumerates that the IA32_TSX_CTRL
MSR exists and that TSX_CTRL
supports bit 0 (RTM_DISABLE
) and bit 1 (TSX_CPUID_CLEAR
).
Register Address | Register Name / Bit Fields | Bit Description | Comment |
---|---|---|---|
122h | IA32_TSX_CTRL | Thread scope. Not architecturally serializing. Available when CPUID.ARCH_CAP(EAX=7h,ECX=0):EDX[29] = 1 and IA32_ARCH_CAPABILITIES.bit 7 = 1 |
|
0 | RTM_DISABLE: When set to 1 XBEGIN will always abort with EAX code 0. | ||
1 | TSX_CPUID_CLEAR: When set to 1 CPUID.07h.EBX.RTM [bit 11] and CPUID.07h.EBX.HLE [bit 4] report 0. When set to 0 and the SKU supports TSX these bits will return 1. |
Family/Model | Stepping | Processor Families / Processor Number Series |
Affected by TAA |
---|---|---|---|
06_8E | 0xC | Whiskey Lake (ULT refresh) | If TSX supported |
06_55 | 6, 7 | 2nd Generation Intel® Xeon® Scalable Processors based on Cascade Lake microarchitecture | If TSX supported |
06_9E | 0xD | Coffee Lake R | If TSX supported |
There are three types of processors that do not require additional mitigations.
IA32_ARCH_CAPABILITIES[TAA_NO] (bit 8)=1
are not affected.IA32_ARCH_CAPABILITIES[MDS_NO] (bit 5)=1
do not need additional mitigations beyond what is already required to mitigate MDS.IA32_ARCH_CAPABILITIES[TAA_NO]=0
.