Security Vulnerability: TSX Asynchronous Abort (TAA) / CVE-2019-11135
This document (7024251) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 15
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 12
Situation
Security researchers have found a side channel information leak attack against the Intel Transactional Synchronization Extensions (Intel TSX) Asynchronous Abort.
During TSX transactions, when these are asynchronously aborted, data might have been fetched already from memory addresses, making it available for side channel information leak attacks against microarchitectural buffers, like store-, load- or fill buffers.
The scope of the information leak exposure is similar to the Microarchitectural Data Sampling attack disclosed in May 2019, and can leak small amounts of very recently accessed data.
What processors are affected ?
All Intel processors supporting TSX shipping up to now are affected, including the ones that are fixed for "Microarchitectural Data Sampling". Please see Intel pages to find the exact list of processors.
Resolution
SUSE will release software updates to mitigate these issues
Future Intel processors will have this problem mitigated in hardware.
Cause
Additional Information
How to detect presence of the problem:
A new sysfs variable was added to the CPU vulnerabilities :
/sys/devices/system/cpu/vulnerabilities/tsx_async_abort
This can contain the following states :
Not affected
The CPU is not affected by this problem.
Vulnerable
The CPU is affected by this vulnerability and neither CPU microcode nor kernel mitigations are applied.
Vulnerable: Clear CPU buffers attempted, no microcode
The kernel mitigations are present and active, but the CPU Microcode does not support the buffer clear operation. (This can also happen if the clear CPU buffers ability is not reported for a guest VM.)
Mitigation: Clear CPU buffers
The software mitigation clearing the buffers using "VERW" is in use.
Mitigation: TSX disabled
The mitigation is that TSX has been disabled on the kernel command line during boot.
Following software mitigations are available :
- Switching off TSX support :
Up to now TSX could not be disabled, but Intel has provided CPU Microcode updates for current CPUs that allow disabling TSX.
This can be controlled by a Linux kernel boot commandline option.
tsx=on
Enable TSX support. (The current SUSE Default)
tsx=off
Disable TSX. Note that this only works on CPUs that support the option "IA32_TSX_CTRL", either when included on the silicon or via CPU Microcode Update.
tsx=auto
If the TAA bug is present, TSX will be disabled. If not, TSX will stay enabled.
If TSX is disabled, the secondary mitigation below is not needed.
- Mitigations using VERW and Hyperthreading adjustments
These adjustments are similar to the ones for the "MDS" attack. Note that using VERW buffer flushing is also needed on CPUs where "MDS" is already addressed in hardware, and needs accompanying CPU microcode.
The kernel boot commandline to control it is:
tsx_async_abort=off
The TAA mitigation is disabled.
tsx_async_abort=full
The TAA mitigation is enabled. If TSX is enabled, it will use the clear buffer mitigation.(The current SUSE Default)
tsx_async_abort=full,nosmt
The TAA mitigation is enabled. If TSX is enabled, it will use the clear buffer mitigation. Additionally Hyperthreading is disabled to avoid potential cross hyperthread leakage.
For detailed information on the issue, please visit :
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7024251
- Creation Date: 08-Nov-2019
- Modified Date:03-Mar-2020
-
- SUSE Linux Enterprise Server
- SUSE Linux Enterprise Server for SAP Applications
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
