Intel® Transactional Synchronization Extensions (Intel® TSX) Asynchronous Abort

The TSX Asynchronous Abort (TAA) vulnerability is similar to Microarchitectural Data Sampling (MDS) and affects the same buffers (store buffer, fill buffer, load port writeback data bus). The TAA condition, on some microprocessors utilizing speculative execution, may allow an authenticated user to potentially enable information disclosure via a side channel with local access. TAA has a separate CVE than MDS: CVE-2019-11135 (6.5 Medium CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N), because it uses a new mechanism for the exploit. As with MDS, TAA may expose data from either the current logical processor or from the sibling logical processor on processors with simultaneous multithreading (SMT).

Intel® Transactional Synchronization Extensions (Intel® TSX) are an extension to the x86 instruction set architecture that adds hardware transactional memory support to improve performance of multi-threaded software. Intel® TSX has two subfunctionalities: Restricted Transactional Memory (RTM) and Hardware Lock Elision (HLE). For more details on Intel® Transactional Synchronization Extensions (Intel® TSX) please see Web Resources About Intel® Transactional Synchronization Extensions.

Intel TSX supports atomic memory transactions that are either committed or aborted. Upon an Intel TSX abort, all earlier memory writes inside the transaction are rolled back to the state before the transaction start. An Intel TSX transaction can be synchronously aborted, for example due to instruction not supported in transactions. Intel TSX transactions can also be asynchronously aborted, such as when a different logical processor writes to a cache line that is part of the transaction’s read set, or when the transaction exceeds its memory buffering space, or due to other microarchitectural reasons.

While an Intel TSX asynchronous abort (TAA) is pending, certain loads inside the transaction that are not yet completed may read data from microarchitectural structures and speculatively pass that data to dependent operations. This may cause microarchitectural side effects, which can later be measured to infer the value of the data in the microarchitectural structures.

This TAA issue affects all current processors that support Intel TSX unless IA32_ARCH_CAPABILITIES.TAA_NO (bit 8)=1. On CPUs affected by MDS, where IA32_ARCH_CAPABILITIES.MDS_NO (bit 5)=0, the existing MDS mitigations will also mitigate against TAA.

On CPUs that are not affected by MDS (where IA32_ARCH_CAPABILITIES.MDS_NO (bit 5)=1), and when the software is not using MDS mitigations, additional mitigation for TAA may be needed.

For more information on MDS, refer to Microarchitectural Data Sampling.

Impact Summary

Malicious application software executed by an authenticated user may be able to infer the values of data accessed on the same physical core by:

• Other applications
• Operating System (OS)
• System Management Mode (SMM)
• Intel® Software Guard Extensions (Intel® SGX) enclaves
• Virtual Machine Manager (VMM) if present
• Other guests running under the same VMM

​CVE and CSS

The CVE assigned to TAA is CVE-2019-11135 (6.5 Medium CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).

Mitigation

A processor is affected by TAA if and only if both of the following conditions are true:

• CPU supports TSX¹
• CPU does not enumerate TAA_NO²

Refer to the CPUs That Require Additional Mitigations section for a list of processors affected by TAA.

On CPUs affected by MDS (IA32_ARCH_CAPABILITIES[MDS_NO]=0), the mitigations for MDS will also help prevent TAA. Refer to Microarchitectural Data Sampling for more details.

On CPUs that do not require software MDS mitigations (IA32_ARCH_CAPABILITIES [MDS_NO]=1) there are two possible mitigation approaches for TAA:

1. Software can apply the same mitigations that are needed to mitigate MDS. Specifically, software can execute VERW before kernel exits and VM entries and mitigate cross hyperthread attacks. This will help ensure that no data from other contexts can be leaked. Refer to Microarchitectural Data Sampling for more information on MDS mitigations. For VERW to clear affected buffers, a microcode update that adds support for the IA32_TSX_CTRL Model Specific Register (MSR) (IA32_ARCH_CAPABILITIES[TSX_CTRL] (bit 7)=1) may need to be loaded. Because VMMs may not expose this MSR to a guest, software using this approach should execute VERW even when IA32_TSX_CTRL support is not enumerated.

2. Alternatively, it is possible to disable Intel TSX for the workload using the IA32_TSX_CTRL MSR (refer to the Enumeration and new MSRs section). Some processors may need to load a microcode update to add support for IA32_TSX_CTRL. The MSR supports disabling the RTM functionality of Intel TSX by setting TSX_CTRL_RTM_DISABLE (bit 0). When this bit is set, all RTM transactions will abort with abort code 0 before any instructions can execute within the transaction, even speculatively. On processors that enumerate IA32_ARCH_CAPABILITIES[TSX_CTRL] (bit 7)=1, HLE prefix hints are always ignored.

   For most usages when RTM is disabled, the respective RTM CPUID (CPUID.07h.EBX.RTM [bit 11]) should also be disabled by setting the TSX_CTRL_CPUID_CLEAR (bit 1) bit in IA32_TSX_CTRL. This will indicate to software using Intel TSX to use a fallback path immediately without trying to attempt a transaction.

   If it’s not possible to change the CPUID, the IA32_TSX_CTRL[TSX_CPUID_CLEAR] (bit 1) bit can be cleared to preserve the HLE and RTM CPUID bits. In this case, software using Intel TSX will attempt RTM transactions, but it will always abort until it takes a fall back path.

   Using IA32_TSX_CTRL may require a new microcode update to be loaded. Support for IA32_TSX_CTRL is enumerated by CPUID.ARCH_CAP(EAX=7h,ECX=0):EDX[29] = 1 and IA32_ARCH_CAPABILITIES[TSX_CTRL] (bit 7) = 1

On processors that do enumerate MD_CLEAR but don’t enumerate MDS_NO, both L1D_FLUSH and VERW overwrite the TAA-affected buffers.

On processors that enumerate both MDS_NO and TSX_CTRL, both L1D_FLUSH and VERW overwrite the TAA-affected buffers.

Implications for virtualized environments

To ensure that guests are properly mitigated, VMMs should load a microcode update that causes IA32_ARCH_CAPABILITIES[TSX_CTRL] (bit 7) to be set on processors that need additional mitigations for TAA.

To help prevent possibly malicious guest VMs from using Intel TSX when it is not enumerated to them, VMMs should set IA32_TSX_CTRL[RTM_DISABLE] (bit 0) to disable Intel TSX on processors affected by TAA that are running untrusted guest VMs.

VMMs should ensure they apply the mitigations described in the MDS disclosure to guest VMs for which Intel TSX is enabled (IA32_TSX_CTRL[RTM_DISABLE] (bit 0)=0). Specifically, the VMM should ensure that sensitive data is not in the affected buffers before entering possibly malicious Intel TSX-enabled guests (for example, by executing VERW). The VMM should also ensure that possible victim VMs are not running on the sibling logical processor as untrusted guests.

Implications on Intel® TSX software

When Intel TSX is disabled at runtime using TSX_CTRL, but the CPUID enumeration of Intel TSX is not cleared, existing software using RTM may see aborts for every transaction. The abort will always return a 0 status code in EAX after XBEGIN. When the software does a number of transaction retries, it should never retry for a 0 status value, but go to the nontransactional fall back path immediately.

Intel® Software Guard Extensions (Intel® SGX)

Intel® Software Guard Extensions (Intel® SGX) enclaves are potentially impacted on CPUs that are not affected by MDS (IA32_ARCH_CAPABILITIES[MDS_NO]=1) but that are affected by TAA (IA32_ARCH_CAPABILITIES[TAA_NO]=0). As the Intel® SGX security model does not trust the system software, Intel SGX cannot rely on the system software to disable Intel TSX or to clear the microarchitectural data buffers. Mitigating TAA for Intel SGX is achieved through a microcode update.

When the required microcode update is applied:

1. The Intel SGX remote attestation will indicate whether the required microcode update has been applied.
2. The mitigation for Intel SGX does not depend on the behavior of the OS or VMM.

Enumeration and new MSRs

IA32_ARCH_CAPABILITIES[TSX_CTRL] (bit 7) enumerates that the IA32_TSX_CTRL MSR exists and that TSX_CTRL supports bit 0 (RTM_DISABLE) and bit 1 (TSX_CPUID_CLEAR).

1. The processor automatically overwrites the affected microarchitecture data buffers when entering or exiting Intel SGX enclaves.
2. On a hyperthreading-enabled processor, the processor automatically aborts any Intel TSX transaction on one logical processor when the sibling logical processor on the same physical core enters an Intel SGX enclave. The processor also prevents an Intel TSX transaction from starting on one logical processor if the sibling logical processor is currently executing an Intel SGX enclave.

Table 1. Description of IA32_TSX_CTRL MSR

CPUs That Require Additional Mitigations

Table 2. Processors that require additional mitigations

CPUs That Do Not Require Additional Mitigations

There are three types of processors that do not require additional mitigations.

1. CPUs that do not support Intel TSX are not affected³.
2. CPUs that enumerate IA32_ARCH_CAPABILITIES[TAA_NO] (bit 8)=1 are not affected.
3. CPUs that support Intel TSX and do not enumerate IA32_ARCH_CAPABILITIES[MDS_NO] (bit 5)=1 do not need additional mitigations beyond what is already required to mitigate MDS.

Footnotes

1. Intel TSX support is indicated by CPUID.07h.EBX.RTM (bit 11) set to 1 and CPUID.07h.EBX.HLE (bit 4) set to 1.
2. CPUID.7.EDX[IA32_ARCH_CAPABILITIES supported]=0 or IA32_ARCH_CAPABILITIES[TAA_NO]=0.
3. No Intel TSX support is indicated by CPUID.07h.EBX.RTM (bit 11) set to 0 and CPUID.07h.EBX.HLE (bit 4) set to 0.

Software Security Guidance Home | Advisory Guidance | Technical Documentation | Best Practices | Resources