Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Has Hardware Lock Elision gone forever due to Spectre Mitigation?

Is this correct that Hardware Lock Elision is disabled for all current CPUs due to Spectre mitigation, and any attempt to have a mutex using HLE intrinsics/instructions would result in usual mutex?

Is this likely that there will not be anything like HLE mutexes in future to avoid vulnerabilities like Spectre?

like image 869
Alex Guteniev Avatar asked Apr 19 '20 19:04

Alex Guteniev


1 Answers

So, TSX may be disabled not to mitigate Spectre, but as a part of another vulnerability mitigation, TSX Asynchronous Abort (TAA).

Here's relevant article on Intel website:

  • Intel® Transactional Synchronization Extensions (Intel® TSX) Asynchronous Abort / CVE-2019-11135 / INTEL-SA-00270

Which links to two more detailed articles:

  • TSX Asynchronous Abort (TAA) CVE-2019-11135
  • Microarchitectural Store Buffer Data Sampling (MSBDS) CVE-2018-12126

Links contain the following information:

  • Some future or even current CPUs may have hardware mitigation for TAA, detected by IA32_ARCH_CAPABILITIES[TAA_NO]=1.
  • Otherwise if the CPU is susceptible to MDS (IA32_ARCH_CAPABILITIES[MDS_NO]=0), software mitigation for MDS will also mitigate TAA
  • In the case of IA32_ARCH_CAPABILITIES[TAA_NO]=0 and IA32_ARCH_CAPABILITIES[MDS_NO]=1, TAA should be mitigated by one of following:
    • Software mitigation
    • Selectively disabling TSX

Ability for above mentioned selectively disabling TSX arrives with microcode update. After such microcode update, ability to control TSX is controlled by IA32_ARCH_CAPABILITIES[TSX_CTRL] (bit 7)=1.

Now, about HLE. TAA article says:

Some processors may need to load a microcode update to add support for IA32_TSX_CTRL. The MSR supports disabling the RTM functionality of Intel TSX by setting TSX_CTRL_RTM_DISABLE (bit 0). When this bit is set, all RTM transactions will abort with abort code 0 before any instructions can execute within the transaction, even speculatively. On processors that enumerate IA32_ARCH_CAPABILITIES[TSX_CTRL] (bit 7)=1, HLE prefix hints are always ignored.

The HLE feature is also marked as removed in Intel® 64 and IA-32 Architectures Software Developer’s Manual:

2.5 INTEL INSTRUCTION SET ARCHITECTURE AND FEATURES REMOVED

Intel® Memory Protection Extensions (Intel® MPX) MSR_TEST_CTRL, bit 31 (MSR address 33H) Hardware Lock Elision (HLE)

I believe that I have answers to my questions:

Is this correct that Hardware Lock Elision is disabled for all current CPUs due to Spectre TAA mitigation, and any attempt to have a mutex using HLE intrinsics/instructions would result in usual mutex?

Yes. It is deprecated. Unless Intel undeprecates it.

Is this likely that there will not be anything like HLE mutexes in future to avoid vulnerabilities like Spectre?

No. There is still RTM, which may be not disabled, and it can be used to create mutexes like HLE mutexes. There may also may be future processors not susceptible to TAA, RTM may work for them.

like image 83
Alex Guteniev Avatar answered Sep 24 '22 12:09

Alex Guteniev