Linux Kernel Gets Mitigations For TSX Async Abort Plus Another New Issue: iITLB Multihit

Written by Michael Larabel in Intel on 12 November 2019 at 02:35 PM EST. Add A Comment
INTEL
The Linux kernel has just received its mitigation work for the newly-announced TSX Asynchronous Abort (TAA) variant of ZombieLoad plus revealing mitigations for another Intel CPU issue... So today in addition to the JCC Erratum and ZombieLoad TAA the latest is iITLB Multihit (NX) - No eXcuses.

The mainline Linux kernel received mitigations for ZombieLoad TAA that work in conjunction with newly-published Intel microcode. The mitigations also now expose /sys/devices/system/cpu/vulnerabilities/tsx_async_abort for reporting the mitigation status plus a new tsx_async_abort kernel parameter. With the TAA mitigation, the system will clear CPU buffers on ring transitions.

But the other issue brought up by this mitigation work is the other new issue as "iITLB Multihit (NX) - No eXcuses." This issue occurs for some Intel CPUs causing a machine check error and possible unrecoverable CPU lockup stemming from page size changes. This has implications in the cloud/VM space for being able to cause a denial of service attack by a malicious guest. The workaround for this "No eXcuses" vulnerability is KVM marking huge pages in the extended page tables as non-executable (NX).

For the iTLB Multihit issue is a new /sys/devices/system/cpu/vulnerabilities/itlb_multihit sysfs node and kvm.nx_huge_pages= option. This issue has been known since last year and tagged CVE-2018-12207. More details on that separate vulnerability from today's other CPU problems via this documentation. Microsoft also mitigated Windows today in the latest updates for this problem.

Intel's latest CPU microcode images for TAA and JCC erratum can be found via GitHub.

I'll be running some fresh kernel benchmarks of TSX async abort mitigations shortly as well as continuing in my JCC erratum benchmarking. Like my relentless Linux benchmarking? Consider showing your support by joining Phoronix Premium.
Add A Comment
Related News
Rework For Intel CPU Model Handling To Land With Linux 6.10
Linux 6.10 Adding Intel Low-Latency Hint To Aggressively Boost GT Frequency For GPU Compute
Intel Releases OpenVINO 2024.1 With More Gen AI & LLM Features
Intel ANV Vulkan Driver Enables VK_KHR_shader_float_controls2
Intel Has Many Improvements For The Xe Graphics Driver In Linux 6.10
Intel Enabling Linux Driver Display Support For Upcoming "Battlemage" GPUs
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
Fedora Linux 40 Available For Download As A Wonderful Upgrade
AMD: "Additional Parts Of The Radeon Stack To Be Open Sourced Throughout The Year"
Mozilla Finally Begins Offering Firefox ARM64 Linux Binaries
Linux 6.10 Preps A Kernel Panic Screen - Sort Of A "Blue Screen of Death"
GNU Portability Library's Tool Rewritten In Python For 8~100x Better Performance
Godot's Vulkan Backend Seeing Better Performance, 10~20% Reduction In Frame Times
GNOME Working To Make Key Rack A Viable Password Manager, Better Printing For Flatpaks
Niri 0.1.5 Scrollable-Tiling Wayland Compositor Adds New Animations