tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

x86/tsx: Disable TSX development mode at boot

A microcode update on some Intel processors causes all TSX transactions
to always abort by default[*]. Microcode also added functionality to
re-enable TSX for development purposes. With this microcode loaded, if
tsx=on was passed on the cmdline, and TSX development mode was already
enabled before the kernel boot, it may make the system vulnerable to TSX
Asynchronous Abort (TAA).

To be on safer side, unconditionally disable TSX development mode during
boot. If a viable use case appears, this can be revisited later.

[*]: Intel TSX Disable Update for Selected Processors, doc ID: 643557

[ bp: Drop unstable web link, massage heavily. ]

Suggested-by: Andrew Cooper <andrew.cooper3@citrix.com>
Suggested-by: Borislav Petkov <bp@alien8.de>
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Tested-by: Neelima Krishnan <neelima.krishnan@intel.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/347bd844da3a333a9793c6687d4e4eb3b2419a3e.1646943780.git.pawan.kumar.gupta@linux.intel.com

authored by Pawan Gupta and committed by Borislav Petkov 400331f8 258f3b8c

options
unified split
Changed files
+55 -18
arch
x86
include
asm
msr-index.h
kernel
cpu
common.c
cpu.h
intel.c
tsx.c
tools
arch
x86
include
asm
msr-index.h
+2 -2
arch/x86/include/asm/msr-index.h
··· 128 128 #define TSX_CTRL_RTM_DISABLE BIT(0) /* Disable RTM feature */ 129 129 #define TSX_CTRL_CPUID_CLEAR BIT(1) /* Disable TSX enumeration */ 130 130 131 - /* SRBDS support */ 132 131 #define MSR_IA32_MCU_OPT_CTRL 0x00000123 133 - #define RNGDS_MITG_DIS BIT(0) 132 + #define RNGDS_MITG_DIS BIT(0) /* SRBDS support */ 133 + #define RTM_ALLOW BIT(1) /* TSX development mode */ 134 134 135 135 #define MSR_IA32_SYSENTER_CS 0x00000174 136 136 #define MSR_IA32_SYSENTER_ESP 0x00000175
+2
arch/x86/kernel/cpu/common.c
··· 1855 1855 validate_apic_and_package_id(c); 1856 1856 x86_spec_ctrl_setup_ap(); 1857 1857 update_srbds_msr(); 1858 + 1859 + tsx_ap_init(); 1858 1860 } 1859 1861 1860 1862 static __init int setup_noclflush(char *arg)
+2 -3
arch/x86/kernel/cpu/cpu.h
··· 55 55 extern __ro_after_init enum tsx_ctrl_states tsx_ctrl_state; 56 56 57 57 extern void __init tsx_init(void); 58 - extern void tsx_enable(void); 59 - extern void tsx_disable(void); 60 - extern void tsx_clear_cpuid(void); 58 + void tsx_ap_init(void); 61 59 #else 62 60 static inline void tsx_init(void) { } 61 + static inline void tsx_ap_init(void) { } 63 62 #endif /* CONFIG_CPU_SUP_INTEL */ 64 63 65 64 extern void get_cpu_cap(struct cpuinfo_x86 *c);
-8
arch/x86/kernel/cpu/intel.c
··· 717 717 718 718 init_intel_misc_features(c); 719 719 720 - if (tsx_ctrl_state == TSX_CTRL_ENABLE) 721 - tsx_enable(); 722 - else if (tsx_ctrl_state == TSX_CTRL_DISABLE) 723 - tsx_disable(); 724 - else if (tsx_ctrl_state == TSX_CTRL_RTM_ALWAYS_ABORT) 725 - /* See comment over that function for more details. */ 726 - tsx_clear_cpuid(); 727 - 728 720 split_lock_init(); 729 721 bus_lock_init(); 730 722
+47 -3
arch/x86/kernel/cpu/tsx.c
··· 19 19 20 20 enum tsx_ctrl_states tsx_ctrl_state __ro_after_init = TSX_CTRL_NOT_SUPPORTED; 21 21 22 - void tsx_disable(void) 22 + static void tsx_disable(void) 23 23 { 24 24 u64 tsx; 25 25 ··· 39 39 wrmsrl(MSR_IA32_TSX_CTRL, tsx); 40 40 } 41 41 42 - void tsx_enable(void) 42 + static void tsx_enable(void) 43 43 { 44 44 u64 tsx; 45 45 ··· 122 122 * That's why, this function's call in init_intel() doesn't clear the 123 123 * feature flags. 124 124 */ 125 - void tsx_clear_cpuid(void) 125 + static void tsx_clear_cpuid(void) 126 126 { 127 127 u64 msr; 128 128 ··· 142 142 } 143 143 } 144 144 145 + /* 146 + * Disable TSX development mode 147 + * 148 + * When the microcode released in Feb 2022 is applied, TSX will be disabled by 149 + * default on some processors. MSR 0x122 (TSX_CTRL) and MSR 0x123 150 + * (IA32_MCU_OPT_CTRL) can be used to re-enable TSX for development, doing so is 151 + * not recommended for production deployments. In particular, applying MD_CLEAR 152 + * flows for mitigation of the Intel TSX Asynchronous Abort (TAA) transient 153 + * execution attack may not be effective on these processors when Intel TSX is 154 + * enabled with updated microcode. 155 + */ 156 + static void tsx_dev_mode_disable(void) 157 + { 158 + u64 mcu_opt_ctrl; 159 + 160 + /* Check if RTM_ALLOW exists */ 161 + if (!boot_cpu_has_bug(X86_BUG_TAA) || !tsx_ctrl_is_supported() || 162 + !cpu_feature_enabled(X86_FEATURE_SRBDS_CTRL)) 163 + return; 164 + 165 + rdmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_opt_ctrl); 166 + 167 + if (mcu_opt_ctrl & RTM_ALLOW) { 168 + mcu_opt_ctrl &= ~RTM_ALLOW; 169 + wrmsrl(MSR_IA32_MCU_OPT_CTRL, mcu_opt_ctrl); 170 + setup_force_cpu_cap(X86_FEATURE_RTM_ALWAYS_ABORT); 171 + } 172 + } 173 + 145 174 void __init tsx_init(void) 146 175 { 147 176 char arg[5] = {}; 148 177 int ret; 178 + 179 + tsx_dev_mode_disable(); 149 180 150 181 /* 151 182 * Hardware will always abort a TSX transaction when the CPUID bit ··· 245 214 setup_force_cpu_cap(X86_FEATURE_RTM); 246 215 setup_force_cpu_cap(X86_FEATURE_HLE); 247 216 } 217 + } 218 + 219 + void tsx_ap_init(void) 220 + { 221 + tsx_dev_mode_disable(); 222 + 223 + if (tsx_ctrl_state == TSX_CTRL_ENABLE) 224 + tsx_enable(); 225 + else if (tsx_ctrl_state == TSX_CTRL_DISABLE) 226 + tsx_disable(); 227 + else if (tsx_ctrl_state == TSX_CTRL_RTM_ALWAYS_ABORT) 228 + /* See comment over that function for more details. */ 229 + tsx_clear_cpuid(); 248 230 }
+2 -2
tools/arch/x86/include/asm/msr-index.h
··· 128 128 #define TSX_CTRL_RTM_DISABLE BIT(0) /* Disable RTM feature */ 129 129 #define TSX_CTRL_CPUID_CLEAR BIT(1) /* Disable TSX enumeration */ 130 130 131 - /* SRBDS support */ 132 131 #define MSR_IA32_MCU_OPT_CTRL 0x00000123 133 - #define RNGDS_MITG_DIS BIT(0) 132 + #define RNGDS_MITG_DIS BIT(0) /* SRBDS support */ 133 + #define RTM_ALLOW BIT(1) /* TSX development mode */ 134 134 135 135 #define MSR_IA32_SYSENTER_CS 0x00000174 136 136 #define MSR_IA32_SYSENTER_ESP 0x00000175