You said this might have been resolved differently anyway with the newest kernel having again hle/rtm enabled - I haven't heard about it but that would probably be even better.
Lets see on the kernel side.
- Fixes for CVE-2019-11135 got added in 4.15.0-69.78
- This was reported against 4.15.0-70
- Wondering about 4.15.0-72 being ok again
212 tsx=on tsx_async_abort=full The system will use VERW to clear CPU
213 buffers. Cross-thread attacks are still
214 possible on SMT machines.
215 tsx=on tsx_async_abort=full,nosmt As above, cross-thread attacks on SMT
216 mitigated.
217 tsx=on tsx_async_abort=off The system is vulnerable.
218 tsx=off tsx_async_abort=full TSX might be disabled if microcode
219 provides a TSX control MSR. If so,
220 system is not vulnerable.
221 tsx=off tsx_async_abort=full,nosmt Ditto
222 tsx=off tsx_async_abort=off ditto
Maybe the initial take was tsx=off which would switch off those flags. But now is any of the tsx=on but with full mitigations? But I'm guessing at this point.
I have not found a clear kernel change since then (not until 4.15.0-73.82, but even less so between .70 and .72) that would change these.
The only related "- x86/speculation/taa: Fix printing of TAA_MSG_SMT on IBRS_ALL CPUs" seems to only affect print output, but not change behavior.
Furthermore none of the systems I have has got hle/rtm back since then.
@Nobuto - has your system any of the above kernel parameters set manually?
I haven't heard from this by sbeattie or others after my last update.
Lets ping security to be sure this hasn't been forgotten.
(I have done that on IRC as well)
@Security - any updates on this from your side?
You said this might have been resolved differently anyway with the newest kernel having again hle/rtm enabled - I haven't heard about it but that would probably be even better.
Lets see on the kernel side.
- Fixes for CVE-2019-11135 got added in 4.15.0-69.78
- This was reported against 4.15.0-70
- Wondering about 4.15.0-72 being ok again
Reading the latest state of Documentation/ admin-guide/ hw-vuln/ tsx_async_ abort.rst shows: /www.kernel. org/doc/ html/latest/ admin-guide/ hw-vuln/ tsx_async_ abort.html# mitigation- control- on-the- kernel- command- line
https:/
212 tsx=on tsx_async_ abort=full The system will use VERW to clear CPU abort=full, nosmt As above, cross-thread attacks on SMT abort=full TSX might be disabled if microcode abort=full, nosmt Ditto
213 buffers. Cross-thread attacks are still
214 possible on SMT machines.
215 tsx=on tsx_async_
216 mitigated.
217 tsx=on tsx_async_abort=off The system is vulnerable.
218 tsx=off tsx_async_
219 provides a TSX control MSR. If so,
220 system is not vulnerable.
221 tsx=off tsx_async_
222 tsx=off tsx_async_abort=off ditto
Maybe the initial take was tsx=off which would switch off those flags. But now is any of the tsx=on but with full mitigations? But I'm guessing at this point. /taa: Fix printing of TAA_MSG_SMT on IBRS_ALL CPUs" seems to only affect print output, but not change behavior.
I have not found a clear kernel change since then (not until 4.15.0-73.82, but even less so between .70 and .72) that would change these.
The only related "- x86/speculation
Furthermore none of the systems I have has got hle/rtm back since then.
@Nobuto - has your system any of the above kernel parameters set manually?
I haven't heard from this by sbeattie or others after my last update.
Lets ping security to be sure this hasn't been forgotten.
(I have done that on IRC as well)
@Security - any updates on this from your side?