Security Software

Intel® Transactional Synchronization Extensions (Intel® TSX) Asynchronous Abort / CVE-2019-11135 / INTEL-SA-00270

2019-11-12
2019-11-12
6.5

Medium

Industry-wide severity ratings can be found in the National Vulnerability Database

Critical
Medium
High
Low

Aliases

  • TAA

Overview

Intel® Transactional Synchronization Extensions (Intel® TSX) are an extension to the x86 instruction set architecture that adds hardware transactional memory support to improve performance of multi-threaded software. The TSX Asynchronous Abort (TAA) vulnerability is similar to Microarchitectural Data Sampling (MDS) and affects the same buffers (store buffer, fill buffer, load port writeback data bus).

Intel TSX supports atomic memory transactions that are either committed or aborted. When an Intel TSX memory transaction is aborted, either synchronously or asynchronously, all earlier memory writes inside the transaction are rolled back to the state before the transaction start. While an Intel TSX asynchronous abort (TAA) is pending, certain loads inside the transaction that are not yet completed may read data from microarchitectural structures and speculatively pass that data to dependent operations. This may cause microarchitectural side effects, which can later be measured to infer the value of the data in the microarchitectural structures.

Mitigation

A processor is affected by TAA if and only if both of the following conditions are true:

  • CPU supports TSX1
  • CPU does not enumerate TAA_NO2

Refer to the CPUs That Require Additional Mitigations section of the TAA Deep Dive for a list of processors affected by TAA.

OS Developers

On CPUs affected by MDS (IA32_ARCH_CAPABILITIES[MDS_NO]=0), the mitigations for MDS will also help prevent TAA.  Refer to the Deep Dive: Microarchitectural Data Sampling for more details.

On CPUs that do not require software MDS mitigations (IA32_ARCH_CAPABILITIES [MDS_NO]=1), TAA can be mitigated by either applying the MDS software mitigations or by selectively disabling Intel TSX for the workload using the IA32_TSX_CTRL MSR. Refer to Deep Dive: Intel® Transactional Synchronization Extensions (Intel® TSX) Asynchronous Abort for more details.

VMM Developers

To ensure that guests are properly mitigated, VMMs should load a microcode update that causes IA32_ARCH_CAPABILITIES[TSX_CTRL] (bit 7) to be set on processors that need additional mitigations for TAA.

To help prevent possibly malicious guest VMs from using Intel TSX when it is not enumerated to them, VMMs should set IA32_TSX_CTRL[RTM_DISABLE] (bit 0) to disable Intel TSX on processors affected by TAA that are running untrusted guest VMs.

VMMs should ensure they apply the mitigations described in the MDS disclosure to guest VMs for which Intel TSX is enabled (IA32_TSX_CTRL[RTM_DISABLE] (bit 0)=0). Specifically, the VMM should ensure that sensitive data is not in the affected buffers before entering possibly malicious Intel TSX-enabled guests (for example, by executing VERW). The VMM should also ensure that possible victim VMs are not running on the sibling logical processor as untrusted guests.

Developers of Software Running in an Enclave

Intel® Software Guard Extensions (Intel® SGX) enclaves are potentially impacted on CPUs that are not affected by MDS (IA32_ARCH_CAPABILITIES[MDS_NO]=1) but that are affected by TAA (IA32_ARCH_CAPABILITIES[TAA_NO]=0). As the Intel® SGX security model does not trust the system software, Intel SGX cannot rely on on the system software to disable Intel TSX or to clear the microarchitectural data buffers. Mitigating TAA for Intel SGX is achieved through a microcode update.

The Intel SGX remote attestation will indicate whether the required microcode update has been applied. The mitigation for Intel SGX does not depend on the behavior of the OS or VMM.

System Administrators

Always keep your systems up to date with the latest security updates, and follow the guidance from your OS and VMM vendors.

Footnotes

  1. Intel TSX support is indicated by CPUID.07h.EBX.RTM (bit 11) set to 1 and CPUID.07h.EBX.HLE (bit 4) set to 1.
  2. CPUID.7.EDX[IA32_ARCH_CAPABILITIES supported]=0 or IA32_ARCH_CAPABILITIES[TAA_NO]=0.

References


Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software, or service activation. Performance varies depending on system configuration. Check with your system manufacturer or retailer or learn more at www.intel.com.

All information provided here is subject to change without notice. Contact your Intel representative to obtain the latest Intel product specifications and roadmaps.

The products and services described may contain defects or errors known as errata which may cause deviations from published specifications. Current characterized errata are available on request.

Intel provides these materials as-is, with no express or implied warranties.

No product or component can be absolutely secure.

Intel, the Intel logo, Intel Core, Intel Atom, Intel Xeon, Intel Xeon Phi, Intel® C Compiler, Intel Software Guard Extensions, and Intel® Trusted Execution Engine are trademarks of Intel Corporation in the U.S. and/or other countries.

*Other names and brands may be claimed as the property of others.