Show Your Support: Did you know that the hundreds of articles written on Phoronix each month are mostly authored by one individual? Phoronix.com doesn't have a whole news room with unlimited resources and relies upon people reading our content without blocking ads and alternatively by people subscribing to Phoronix Premium for our ad-free service with other extra features.
New Intel TSX Fixes For The Linux Kernel Queue Up, Forces Off TSX "Development Mode"
First up is a change to disable TSX development mode at boot. While an Intel microcode update had made it so all TSX transactions would abort by default fort security, it also added a "development mode" to re-enable TSX. It's possible through that microcode TSX development mode that systems could unintentionally be left vulnerable to the TSX Async Abort vulnerability.
A microcode update on some Intel processors causes all TSX transactions to always abort by default[*]. Microcode also added functionality to re-enable TSX for development purposes. With this microcode loaded, if tsx=on was passed on the cmdline, and TSX development mode was already enabled before the kernel boot, it may make the system vulnerable to TSX Asynchronous Abort (TAA).
To be on safer side, unconditionally disable TSX development mode during boot. If a viable use case appears, this can be revisited later.
TSX Asynchronous Abort (TAA, formally CVE-2019-11135) was disclosed in 2019 as a hardware vulnerability leading to unprivileged speculative access to data in CPU-internal buffers through asynchronous aborts within TSX transactional regions.
The other fix is to address the TSX_FORCE_ABORT MSR not being available on all CPUs to disable TSX so now on supported CPUs the TSX_CTRL MSR is also used. The code comment in that Intel-developed patch sums it up as "Disabling TSX is not a trivial business."
Both of these patches were submitted this Easter morning ahead of the Linux 5.18-rc3 kernel coming later today while these patches are also marked for back-porting to existing stable and maintained kernel release series.