-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2019-11135 / XSA-305
                               version 2

            TSX Asynchronous Abort speculative side channel

UPDATES IN VERSION 2
====================

Fix patch descriptions to describe 305, not 304.  Tweak to make
it easily parsable.

ISSUE DESCRIPTION
=================

This is very closely related to the Microarchitectural Data Sampling
vulnerabilities from May 2019.

Please see https://xenbits.xen.org/xsa/advisory-297.html for details
about MDS.

A new way to sample data from microarchitectural structures has been
identified.  A TSX Asynchronous Abort is a state which occurs between a
transaction definitely aborting (usually for reasons outside of the
pipeline's control e.g. receiving an interrupt), and architectural state
being rolled back to start of the transaction.

During this period, speculative execution may be able to infer the value
of data in the microarchitectural structures.

For more details, see:
  https://software.intel.com/security-software-guidance/insights/deep-dive-intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort

IMPACT
======

An attacker, which could include a malicious untrusted user process on a
trusted guest, or an untrusted guest, can sample the content of
recently-used memory operands and IO Port writes.

This can include data from:

 * A previously executing context (process, or guest, or
   hypervisor/toolstack) at the same privilege level.
 * A higher privilege context (kernel, hypervisor, SMM) which
   interrupted the attacker's execution.

Vulnerable data is that on the same physical core as the attacker.  This
includes, when hyper-threading is enabled, adjacent threads.

An attacker cannot use this vulnerability to target specific data.  An
attack would likely require sampling over a period of time and the
application of statistical methods to reconstruct interesting data.

VULNERABLE SYSTEMS
==================

Systems running all versions of Xen are affected.

Only x86 processors are vulnerable.
ARM processors are not believed to be vulnerable.

Only Intel based processors are affected.  Processors from other
manufacturers (e.g. AMD) are not believed to be vulnerable.

Only Intel processors supporting TSX (Transactional Synchronization
eXtensions) are affected.

Systems which have the XSA-297 (MDS) fixes, and do not enumerate
MDS_NO (Hardware fixes to MDS) are not vulnerable to TAA (XSA-305).
(Specifically, the XSA-297 changes of using VERW flushing and disabling
HyperThreading will prevent data leakage via both MDS and TAA.)

If the XSA-297 Xen patches for MDS have been applied, Xen will
identify at boot if the CPU reports MDS_NO.  i.e.

  [root@localhost ~]# xl dmesg | grep MDS_NO
  (XEN)   Hardware features: IBRS/IBPB STIBP L1D_FLUSH SSBD MD_CLEAR IBRS_ALL RDCL_NO SKIP_L1DFL MDS_NO

Support for TSX is reported by Linux (>=3.4) as `hle' and `rtm' in the
cpu flags (`grep -e hle -e rtm /proc/cpuinfo').  (Note that applying
Option A from Resolution, below, will disable TSX so suppressing this
report, even if the CPU would be vulnerable with TSX enabled.)

In summary: systems which support TSX and enumerate MDS_NO are
vulnerable to XSA-305 (TAA).

MITIGATION
==========

There is no mitigation available.

RESOLUTION
==========

New microcode is required in all cases.  It may be available via a
firmware update (consult your hardware vendor), or available for
boot-time loading (consult your dom0 OS vendor).

There are two approaches:

Option A:

  * Upgrade to the new microcode.
  * Apply the Xen patches (listed below).

  This will disable TSX (by default, but reenabling it would
  reintroduce the vulnerability).  This option is the recommended
  resolution.

Option B:

  * Upgrade to the new microcode.
  * Boot Xen with `smt=0 spec-ctrl=md-clear'.
  * (The patches are not strictly required.)

  This option is recommended only if it is known that the workload is
  such that it is important to retain the TSX feature.

  `smt=0' disables hyper-threading, and will have a significant
  performance impact.  See `DISCUSSION CONCERNING SMT/HYPER-THREADING'
  in XSA-297 for more information about the implications and options.

  Note that the Xen command line argument `spec-ctrl=md-clear' must be
  specified to mitigate XSA-305, even though some readings of XSA-297
  suggest it might be enabled by default when needed.  This is because
  Option B reuses the same mitigation for a new problem.
  `spec-ctrl=md-clear' is the default on CPUs vulnerable to XSA-297;
  however, it is not the default on CPUs vulnerable to XSA-305.

In each case with the Xen patches applied, appropriate microcode can
be observed by finding TSX_CTRL enumerated:

  [root@localhost ~]# xl dmesg | grep TSX_CTRL
  (XEN)   Hardware features: IBRS/IBPB STIBP L1D_FLUSH SSBD MD_CLEAR IBRS_ALL RDCL_NO SKIP_L1DFL MDS_NO TSX_CTRL

There is no further action (beyond Option A or B above) required for
guest kernel/userspace software, and nothing they could do differently
to protect themselves in the absence of those changes.

xsa305/xsa305-?.patch           xen-unstable
xsa305/xsa305-4.12-?.patch      Xen 4.12.x
xsa305/xsa305-4.11-?.patch      Xen 4.11.x
xsa305/xsa305-4.10-?.patch      Xen 4.10.x
xsa305/xsa305-4.9-?.patch       Xen 4.9.x
xsa305/xsa305-4.8-?.patch       Xen 4.8.x

$ sha256sum xsa305* xsa305*/*
97c9bf1d1e3347ad64f3c7a567938bbdc4f07eb135e8cc5a4c3050400963b445  xsa305.meta
b74bd3954b9c76eee7d9f2c594d5d5c05996f631696b68142f6e5cbe0ceaddf7  xsa305/xsa305-1.patch
67d30c248eefdd8552630c56d55adb9934f575a1fe1f15f7a0fca7d3d099de48  xsa305/xsa305-2.patch
b64837e7a75cad86b0bb52379c781b8ea93094569d1a8f9e044c580cc6654869  xsa305/xsa305-4.8-1.patch
cbb65761ba8d844d8297e50d3f95cb708b656b5a81a03fa808eb05fb7e58dbcd  xsa305/xsa305-4.8-2.patch
607a8fb5006268ca48143729e59d135d6a6d6aac0a77119f44f7ab09a5b600bb  xsa305/xsa305-4.9-1.patch
f26ee247e0346144ed477c731930ba3ce562f586d6d2fb76f2926a1a32ab2807  xsa305/xsa305-4.9-2.patch
91be2c6b9a81e693c9583c0936c78a7eaaf51815d6ae7e0323be383b334ce73c  xsa305/xsa305-4.10-1.patch
b15d2feee4a3b9064a2b5387ee0e218f6b05f8b849f80e18f5bbdffcdaf418bc  xsa305/xsa305-4.10-2.patch
c47fcab07123f551a49c7bf96cad82f7bf9c4bb161b46b84f325e400c6438f3e  xsa305/xsa305-4.11-1.patch
2bb81d261c3dc4f3c825ce9795ab4ac9ea08b0d99537ca61d56876be1e6a5d2a  xsa305/xsa305-4.11-2.patch
c6c7551d1c40340401b3a52a8d4dfa4c24b791764fcc08215d270aabff86474e  xsa305/xsa305-4.12-1.patch
a528aaaed32b632779a17cf2ed648903d7bc48ba213d6c8f7ce2d78f493e097c  xsa305/xsa305-4.12-2.patch
$

NOTE REGARDING LACK OF EMBARGO
==============================

Despite an attempt to organise predisclosure, the discoverers ultimately
did not authorise a predisclosure.
-----BEGIN PGP SIGNATURE-----

iQE/BAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl82wNwMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZ8cQH+JOrsVRDz6I6lI19dU5p7ck/AgdCNqA+4Bmtxcr5
sO67gchv5i/X4nQVz9+XZlanxEdUd5djTx78GKpCrIzL6xWnOYAnhH2Q284pdj89
gnlCelX6l0PXECtxw77aTF5G29W0euJ3MqNKjNErwMxtJIIY5khOKm6wV3F7KvpP
uzJunZsKOhw+oD1pah7dkwuB6r6QFBr9k8p2HU8HymQUBiRVmRtJRmrF94RJ9Yl+
N4n4PSno/gLDxGnWmxi8W1S4yhX7fqYc7lZrtBkKa8uUO73CEccXszyWtsE7473r
tWhD+Yq+eE9JaevXcrPt8+meFcVfoMdGhUDHyx8EEtsrOA==
=ppo2
-----END PGP SIGNATURE-----