TSX Asynchronous Abort speculative side channel


#### ISSUE DESCRIPTION This is very closely related to the Microarchitectural Data Sampling vulnerabilities from May 2019. Please see <a href="https://xenbits.xen.org/xsa/advisory-297.html">https://xenbits.xen.org/xsa/advisory-297.html</a> for details about MDS. A new way to sample data from microarchitectural structures has been identified. A TSX Asynchronous Abort is a state which occurs between a transaction definitely aborting (usually for reasons outside of the pipeline's control e.g. receiving an interrupt), and architectural state being rolled back to start of the transaction. During this period, speculative execution may be able to infer the value of data in the microarchitectural structures. For more details, see: <a href="https://software.intel.com/security-software-guidance/insights/deep-dive-intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort">https://software.intel.com/security-software-guidance/insights/deep-dive-intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort</a> #### IMPACT An attacker, which could include a malicious untrusted user process on a trusted guest, or an untrusted guest, can sample the content of recently-used memory operands and IO Port writes. This can include data from: * A previously executing context (process, or guest, or hypervisor/toolstack) at the same privilege level. * A higher privilege context (kernel, hypervisor, SMM) which interrupted the attacker's execution. Vulnerable data is that on the same physical core as the attacker. This includes, when hyper-threading is enabled, adjacent threads. An attacker cannot use this vulnerability to target specific data. An attack would likely require sampling over a period of time and the application of statistical methods to reconstruct interesting data. #### VULNERABLE SYSTEMS Systems running all versions of Xen are affected. Only x86 processors are vulnerable. ARM processors are not believed to be vulnerable. Only Intel based processors are affected. Processors from other manufacturers (e.g. AMD) are not believed to be vulnerable. Only Intel processors supporting TSX (Transactional Synchronization eXtensions) are affected. Systems which have the XSA-297 (MDS) fixes, and do not enumerate MDS_NO (Hardware fixes to MDS) are not vulnerable to TAA (XSA-305). (Specifically, the XSA-297 changes of using VERW flushing and disabling HyperThreading will prevent data leakage via both MDS and TAA.) If the XSA-297 Xen patches for MDS have been applied, Xen will identify at boot if the CPU reports MDS_NO. i.e. [root@localhost ~]# xl dmesg | grep MDS_NO (XEN) Hardware features: IBRS/IBPB STIBP L1D_FLUSH SSBD MD_CLEAR IBRS_ALL RDCL_NO SKIP_L1DFL MDS_NO Support for TSX is reported by Linux (>=3.4) as `hle' and `rtm' in the cpu flags (`grep -e hle -e rtm /proc/cpuinfo'). (Note that applying Option A from Resolution, below, will disable TSX so suppressing this report, even if the CPU would be vulnerable with TSX enabled.) In summary: systems which support TSX and enumerate MDS_NO are vulnerable to XSA-305 (TAA).