Linux Kernel Gets Mitigations For TSX Async Abort Plus Another New Issue: iITLB Multihit

Written by Michael Larabel in Intel on 12 November 2019 at 02:35 PM EST. Add A Comment
INTEL
The Linux kernel has just received its mitigation work for the newly-announced TSX Asynchronous Abort (TAA) variant of ZombieLoad plus revealing mitigations for another Intel CPU issue... So today in addition to the JCC Erratum and ZombieLoad TAA the latest is iITLB Multihit (NX) - No eXcuses.

The mainline Linux kernel received mitigations for ZombieLoad TAA that work in conjunction with newly-published Intel microcode. The mitigations also now expose /sys/devices/system/cpu/vulnerabilities/tsx_async_abort for reporting the mitigation status plus a new tsx_async_abort kernel parameter. With the TAA mitigation, the system will clear CPU buffers on ring transitions.

But the other issue brought up by this mitigation work is the other new issue as "iITLB Multihit (NX) - No eXcuses." This issue occurs for some Intel CPUs causing a machine check error and possible unrecoverable CPU lockup stemming from page size changes. This has implications in the cloud/VM space for being able to cause a denial of service attack by a malicious guest. The workaround for this "No eXcuses" vulnerability is KVM marking huge pages in the extended page tables as non-executable (NX).

For the iTLB Multihit issue is a new /sys/devices/system/cpu/vulnerabilities/itlb_multihit sysfs node and kvm.nx_huge_pages= option. This issue has been known since last year and tagged CVE-2018-12207. More details on that separate vulnerability from today's other CPU problems via this documentation. Microsoft also mitigated Windows today in the latest updates for this problem.

Intel's latest CPU microcode images for TAA and JCC erratum can be found via GitHub.

I'll be running some fresh kernel benchmarks of TSX async abort mitigations shortly as well as continuing in my JCC erratum benchmarking. Like my relentless Linux benchmarking? Consider showing your support by joining Phoronix Premium.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week