x86/tsx: Add config options to set tsx=on|off|auto

There is a general consensus that TSX usage is not largely spread while
the history shows there is a non trivial space for side channel attacks
possible. Therefore the tsx is disabled by default even on platforms
that might have a safe implementation of TSX according to the current
knowledge. This is a fair trade off to make.

There are, however, workloads that really do benefit from using TSX and
updating to a newer kernel with TSX disabled might introduce a
noticeable regressions. This would be especially a problem for Linux
distributions which will provide TAA mitigations.

Introduce config options X86_INTEL_TSX_MODE_OFF, X86_INTEL_TSX_MODE_ON
and X86_INTEL_TSX_MODE_AUTO to control the TSX feature. The config
setting can be overridden by the tsx cmdline options.

 [ bp: Text cleanups from Josh. ]

Suggested-by: Borislav Petkov <bpetkov@suse.de>
Signed-off-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index d6e1faa28c58ebaea297e8e450e9edf2319b3a1a..8ef85139553f5a4ad5187375af898266355c4177 100644 (file)
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1940,6 +1940,51 @@ config X86_INTEL_MEMORY_PROTECTION_KEYS
 
          If unsure, say y.
 
+choice
+       prompt "TSX enable mode"
+       depends on CPU_SUP_INTEL
+       default X86_INTEL_TSX_MODE_OFF
+       help
+         Intel's TSX (Transactional Synchronization Extensions) feature
+         allows to optimize locking protocols through lock elision which
+         can lead to a noticeable performance boost.
+
+         On the other hand it has been shown that TSX can be exploited
+         to form side channel attacks (e.g. TAA) and chances are there
+         will be more of those attacks discovered in the future.
+
+         Therefore TSX is not enabled by default (aka tsx=off). An admin
+         might override this decision by tsx=on the command line parameter.
+         Even with TSX enabled, the kernel will attempt to enable the best
+         possible TAA mitigation setting depending on the microcode available
+         for the particular machine.
+
+         This option allows to set the default tsx mode between tsx=on, =off
+         and =auto. See Documentation/admin-guide/kernel-parameters.txt for more
+         details.
+
+         Say off if not sure, auto if TSX is in use but it should be used on safe
+         platforms or on if TSX is in use and the security aspect of tsx is not
+         relevant.
+
+config X86_INTEL_TSX_MODE_OFF
+       bool "off"
+       help
+         TSX is disabled if possible - equals to tsx=off command line parameter.
+
+config X86_INTEL_TSX_MODE_ON
+       bool "on"
+       help
+         TSX is always enabled on TSX capable HW - equals the tsx=on command
+         line parameter.
+
+config X86_INTEL_TSX_MODE_AUTO
+       bool "auto"
+       help
+         TSX is enabled on TSX capable HW that is believed to be safe against
+         side channel attacks- equals the tsx=auto command line parameter.
+endchoice
+
 config EFI
        bool "EFI runtime service support"
        depends on ACPI

diff --git a/arch/x86/kernel/cpu/tsx.c b/arch/x86/kernel/cpu/tsx.c
index dda328ec2ba19e90b4849b8c0bdd9a65ad31535a..3e20d322bc98b636cde2747394d26fcec8783a0c 100644 (file)
--- a/arch/x86/kernel/cpu/tsx.c
+++ b/arch/x86/kernel/cpu/tsx.c
@@ -73,6 +73,14 @@ static bool __init tsx_ctrl_is_supported(void)
        return !!(ia32_cap & ARCH_CAP_TSX_CTRL_MSR);
 }
 
+static enum tsx_ctrl_states x86_get_tsx_auto_mode(void)
+{
+       if (boot_cpu_has_bug(X86_BUG_TAA))
+               return TSX_CTRL_DISABLE;
+
+       return TSX_CTRL_ENABLE;
+}
+
 void __init tsx_init(void)
 {
        char arg[5] = {};
@@ -88,17 +96,19 @@ void __init tsx_init(void)
                } else if (!strcmp(arg, "off")) {
                        tsx_ctrl_state = TSX_CTRL_DISABLE;
                } else if (!strcmp(arg, "auto")) {
-                       if (boot_cpu_has_bug(X86_BUG_TAA))
-                               tsx_ctrl_state = TSX_CTRL_DISABLE;
-                       else
-                               tsx_ctrl_state = TSX_CTRL_ENABLE;
+                       tsx_ctrl_state = x86_get_tsx_auto_mode();
                } else {
                        tsx_ctrl_state = TSX_CTRL_DISABLE;
                        pr_err("tsx: invalid option, defaulting to off\n");
                }
        } else {
-               /* tsx= not provided, defaulting to off */
-               tsx_ctrl_state = TSX_CTRL_DISABLE;
+               /* tsx= not provided */
+               if (IS_ENABLED(CONFIG_X86_INTEL_TSX_MODE_AUTO))
+                       tsx_ctrl_state = x86_get_tsx_auto_mode();
+               else if (IS_ENABLED(CONFIG_X86_INTEL_TSX_MODE_OFF))
+                       tsx_ctrl_state = TSX_CTRL_DISABLE;
+               else
+                       tsx_ctrl_state = TSX_CTRL_ENABLE;
        }
 
        if (tsx_ctrl_state == TSX_CTRL_DISABLE) {