x86/tsx: Add config options to set tsx=on|off|auto

There is a general consensus that TSX usage is not largely spread while the history shows there is a non trivial space for side channel attacks possible. Therefore the tsx is disabled by default even on platforms that might have a safe implementation of TSX according to the current knowledge. This is a fair trade off to make. There are, however, workloads that really do benefit from using TSX and updating to a newer kernel with TSX disabled might introduce a noticeable regressions. This would be especially a problem for Linux distributions which will provide TAA mitigations. Introduce config options X86_INTEL_TSX_MODE_OFF, X86_INTEL_TSX_MODE_ON and X86_INTEL_TSX_MODE_AUTO to control the TSX feature. The config setting can be overridden by the tsx cmdline options. [ bp: Text cleanups from Josh. ] Suggested-by: Borislav Petkov <bpetkov@suse.de> Signed-off-by: Michal Hocko <mhocko@suse.com> Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com> Signed-off-by: Borislav Petkov <bp@suse.de> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
author: Michal Hocko <mhocko@suse.com> 2019-10-23 06:35:50 -0400
committer: Thomas Gleixner <tglx@linutronix.de> 2019-10-28 04:12:18 -0400
commit: db616173d787395787ecc93eef075fa975227b10 (patch)
tree: 9b55a074699594c3d20d2c1959d89a111717b908
parent: a7a248c593e4fd7a67c50b5f5318fe42a0db335e (diff)
2 files changed, 61 insertions, 6 deletions
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index d6e1faa28c58..8ef85139553f 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1940,6 +1940,51 @@ config X86_INTEL_MEMORY_PROTECTION_KEYS
          If unsure, say y.
+choice
+        prompt "TSX enable mode"
+        depends on CPU_SUP_INTEL
+        default X86_INTEL_TSX_MODE_OFF
+        help
+          Intel's TSX (Transactional Synchronization Extensions) feature
+          allows to optimize locking protocols through lock elision which
+          can lead to a noticeable performance boost.
+          On the other hand it has been shown that TSX can be exploited
+          to form side channel attacks (e.g. TAA) and chances are there
+          will be more of those attacks discovered in the future.
+          Therefore TSX is not enabled by default (aka tsx=off). An admin
+          might override this decision by tsx=on the command line parameter.
+          Even with TSX enabled, the kernel will attempt to enable the best
+          possible TAA mitigation setting depending on the microcode available
+          for the particular machine.
+          This option allows to set the default tsx mode between tsx=on, =off
+          and =auto. See Documentation/admin-guide/kernel-parameters.txt for more
+          details.
+          Say off if not sure, auto if TSX is in use but it should be used on safe
+          platforms or on if TSX is in use and the security aspect of tsx is not
+          relevant.
+config X86_INTEL_TSX_MODE_OFF
+        bool "off"
+        help
+          TSX is disabled if possible - equals to tsx=off command line parameter.
+config X86_INTEL_TSX_MODE_ON
+        bool "on"
+        help
+          TSX is always enabled on TSX capable HW - equals the tsx=on command
+          line parameter.
+config X86_INTEL_TSX_MODE_AUTO
+        bool "auto"
+        help
+          TSX is enabled on TSX capable HW that is believed to be safe against
+          side channel attacks- equals the tsx=auto command line parameter.
+endchoice
 config EFI
        bool "EFI runtime service support"
        depends on ACPI
diff --git a/arch/x86/kernel/cpu/tsx.c b/arch/x86/kernel/cpu/tsx.c
index dda328ec2ba1..3e20d322bc98 100644
--- a/arch/x86/kernel/cpu/tsx.c
+++ b/arch/x86/kernel/cpu/tsx.c
@@ -73,6 +73,14 @@ static bool __init tsx_ctrl_is_supported(void)
        return !!(ia32_cap & ARCH_CAP_TSX_CTRL_MSR);
 }
+static enum tsx_ctrl_states x86_get_tsx_auto_mode(void)
+{
+        if (boot_cpu_has_bug(X86_BUG_TAA))
+                return TSX_CTRL_DISABLE;
+        return TSX_CTRL_ENABLE;
+}
 void __init tsx_init(void)
 {
        char arg[5] = {};
@@ -88,17 +96,19 @@ void __init tsx_init(void)
                } else if (!strcmp(arg, "off")) {
                        tsx_ctrl_state = TSX_CTRL_DISABLE;
                } else if (!strcmp(arg, "auto")) {
-                        if (boot_cpu_has_bug(X86_BUG_TAA))
+                        tsx_ctrl_state = x86_get_tsx_auto_mode();
-                                tsx_ctrl_state = TSX_CTRL_DISABLE;
-                        else
-                                tsx_ctrl_state = TSX_CTRL_ENABLE;
                } else {
                        tsx_ctrl_state = TSX_CTRL_DISABLE;
                        pr_err("tsx: invalid option, defaulting to off\n");
                }
        } else {
-                /* tsx= not provided, defaulting to off */
+                /* tsx= not provided */
-                tsx_ctrl_state = TSX_CTRL_DISABLE;
+                if (IS_ENABLED(CONFIG_X86_INTEL_TSX_MODE_AUTO))
+                        tsx_ctrl_state = x86_get_tsx_auto_mode();
+                else if (IS_ENABLED(CONFIG_X86_INTEL_TSX_MODE_OFF))
+                        tsx_ctrl_state = TSX_CTRL_DISABLE;
+                else
+                        tsx_ctrl_state = TSX_CTRL_ENABLE;
        }
        if (tsx_ctrl_state == TSX_CTRL_DISABLE) {
author	Michal Hocko <mhocko@suse.com>	2019-10-23 06:35:50 -0400
committer	Thomas Gleixner <tglx@linutronix.de>	2019-10-28 04:12:18 -0400
commit	db616173d787395787ecc93eef075fa975227b10 (patch)
tree	9b55a074699594c3d20d2c1959d89a111717b908
parent	a7a248c593e4fd7a67c50b5f5318fe42a0db335e (diff)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index d6e1faa28c58..8ef85139553f 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig
@@ -1940,6 +1940,51 @@ config X86_INTEL_MEMORY_PROTECTION_KEYS
1940		1940
1941	If unsure, say y.	1941	If unsure, say y.
1942		1942
		1943	choice
		1944	prompt "TSX enable mode"
		1945	depends on CPU_SUP_INTEL
		1946	default X86_INTEL_TSX_MODE_OFF
		1947	help
		1948	Intel's TSX (Transactional Synchronization Extensions) feature
		1949	allows to optimize locking protocols through lock elision which
		1950	can lead to a noticeable performance boost.
		1951
		1952	On the other hand it has been shown that TSX can be exploited
		1953	to form side channel attacks (e.g. TAA) and chances are there
		1954	will be more of those attacks discovered in the future.
		1955
		1956	Therefore TSX is not enabled by default (aka tsx=off). An admin
		1957	might override this decision by tsx=on the command line parameter.
		1958	Even with TSX enabled, the kernel will attempt to enable the best
		1959	possible TAA mitigation setting depending on the microcode available
		1960	for the particular machine.
		1961
		1962	This option allows to set the default tsx mode between tsx=on, =off
		1963	and =auto. See Documentation/admin-guide/kernel-parameters.txt for more
		1964	details.
		1965
		1966	Say off if not sure, auto if TSX is in use but it should be used on safe
		1967	platforms or on if TSX is in use and the security aspect of tsx is not
		1968	relevant.
		1969
		1970	config X86_INTEL_TSX_MODE_OFF
		1971	bool "off"
		1972	help
		1973	TSX is disabled if possible - equals to tsx=off command line parameter.
		1974
		1975	config X86_INTEL_TSX_MODE_ON
		1976	bool "on"
		1977	help
		1978	TSX is always enabled on TSX capable HW - equals the tsx=on command
		1979	line parameter.
		1980
		1981	config X86_INTEL_TSX_MODE_AUTO
		1982	bool "auto"
		1983	help
		1984	TSX is enabled on TSX capable HW that is believed to be safe against
		1985	side channel attacks- equals the tsx=auto command line parameter.
		1986	endchoice
		1987
1943	config EFI	1988	config EFI
1944	bool "EFI runtime service support"	1989	bool "EFI runtime service support"
1945	depends on ACPI	1990	depends on ACPI


diff --git a/arch/x86/kernel/cpu/tsx.c b/arch/x86/kernel/cpu/tsx.c index dda328ec2ba1..3e20d322bc98 100644 --- a/arch/x86/kernel/cpu/tsx.c +++ b/arch/x86/kernel/cpu/tsx.c
@@ -73,6 +73,14 @@ static bool __init tsx_ctrl_is_supported(void)
73	return !!(ia32_cap & ARCH_CAP_TSX_CTRL_MSR);	73	return !!(ia32_cap & ARCH_CAP_TSX_CTRL_MSR);
74	}	74	}
75		75
		76	static enum tsx_ctrl_states x86_get_tsx_auto_mode(void)
		77	{
		78	if (boot_cpu_has_bug(X86_BUG_TAA))
		79	return TSX_CTRL_DISABLE;
		80
		81	return TSX_CTRL_ENABLE;
		82	}
		83
76	void __init tsx_init(void)	84	void __init tsx_init(void)
77	{	85	{
78	char arg[5] = {};	86	char arg[5] = {};
@@ -88,17 +96,19 @@ void __init tsx_init(void)
88	} else if (!strcmp(arg, "off")) {	96	} else if (!strcmp(arg, "off")) {
89	tsx_ctrl_state = TSX_CTRL_DISABLE;	97	tsx_ctrl_state = TSX_CTRL_DISABLE;
90	} else if (!strcmp(arg, "auto")) {	98	} else if (!strcmp(arg, "auto")) {
91	if (boot_cpu_has_bug(X86_BUG_TAA))	99	tsx_ctrl_state = x86_get_tsx_auto_mode();
92	tsx_ctrl_state = TSX_CTRL_DISABLE;
93	else
94	tsx_ctrl_state = TSX_CTRL_ENABLE;
95	} else {	100	} else {
96	tsx_ctrl_state = TSX_CTRL_DISABLE;	101	tsx_ctrl_state = TSX_CTRL_DISABLE;
97	pr_err("tsx: invalid option, defaulting to off\n");	102	pr_err("tsx: invalid option, defaulting to off\n");
98	}	103	}
99	} else {	104	} else {
100	/* tsx= not provided, defaulting to off */	105	/* tsx= not provided */
101	tsx_ctrl_state = TSX_CTRL_DISABLE;	106	if (IS_ENABLED(CONFIG_X86_INTEL_TSX_MODE_AUTO))
		107	tsx_ctrl_state = x86_get_tsx_auto_mode();
		108	else if (IS_ENABLED(CONFIG_X86_INTEL_TSX_MODE_OFF))
		109	tsx_ctrl_state = TSX_CTRL_DISABLE;
		110	else
		111	tsx_ctrl_state = TSX_CTRL_ENABLE;
102	}	112	}
103		113
104	if (tsx_ctrl_state == TSX_CTRL_DISABLE) {	114	if (tsx_ctrl_state == TSX_CTRL_DISABLE) {