read also
Both Microsoft and the Linux kernel teams have added ways to disable support for Intel Transactional Synchronization Extensions (TSX).
TSX is the Intel technology that opens the company's CPUs to attacks via the Zombieload v2 vulnerability.
Zombieload v2 is the codename of a vulnerability that allows malware or a malicious threat actor to extract information processed inside a CPU, information to which they normally shouldn't be able to access due to the security walls present inside modern-day CPUs.
This new vulnerability was disclosed earlier this week. Intel said it would release microcode (CPU firmware) updates -- available on the company's Support & Downloads center.
But, the reality of a real-world production environment is that performance matters. Past microcode updates for other attacks, such as Meltdown, Spectre, Foreshadow, Fallout, and Zombieload v1, have been known to introduce performance hits of up to 40%.
Seeing that all the CPU attacks listed above are not only theoretical but also hard to pull off, some companies don't see this performance hit as an option.
Many skip on applying the microcode updates, or even if they do, they also disable the technology that allows the attack surface, if they're not using it, just to be sure they're not impacted by any attacks or performance slowdowns.
Earlier this week, Microsoft published guidance on how system administrators can do so with Intel's TSX, using registry keys.
They can disable TSX via the following registry setting:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel" /v DisableTsx /t REG_DWORD /d 1 /f
When they need TSX again, they can re-enable it via the following:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel" /v DisableTsx /t REG_DWORD /d 0 /f
On Linux systems where administrators have applied Intel's microcode updates, there is also now a model-specific register (MSR) that can be used to disable TSX. Details here.
TSX has been shipping with Intel CPUs since the release of the Haswell line in 2013. According to Intel's official security advisory, the following CPU series are impacted:
Product Collection | Product Names | Vertical Segment | CPUID | Platform ID |
10th Generation Intel® Core™ Processor Family | Intel® Core™ Processor i7-10510Y, i5-10310Y Intel® Core™ Processor i7-8500Y Intel® Core™ Processor i5-8310Y, i5-8210Y, i5-8200Y | Mobile | 806EC | 94 |
2nd Generation Intel® Xeon® Scalable Processors | Intel® Xeon® Platinum Processor 8253, 8256, 8260, 8260L, 8260M, 8260Y, 8268, 8270, 8276, 8276L, 8276M, 8280, 8280L, 8280M, 9220, 9221, 9222, 9242, 9282 Intel® Xeon® Gold Processor 5215, 5215L, 5215M, 5215R, 5217, 5218, 5218B, 5218N, 5218T, 5220, 5220R, 5220S, 5220T, 5222, 6222V, 6226, 6230, 6230N, 6230T, 6234, 6238, 6238L, 6238M, 6238T, 6240, 6240L, 6240M, 6240Y, 6242, 6244, 6246, 6248, 6252, 6252N, 6254, 6262V Intel® Xeon® Silver Processor 4208, 4208R, 4209T, 4210, 4210R, 4214, 4214C, 4214R, 4214Y, 4215, 4216, 4216R Intel® Xeon® Bronze Processor 3204, 3206R | Server | 50657 | BF |
Intel® Xeon® W Processor Family | Intel® Xeon® Processor W-3275M, W-3275, W-3265M, W-3265, W-3245M, W-3245, W-3235, W-3225, W-3223, W-2295, W-2275, W-2265, W-2255, W-2245, W-2235, W-2225, W-2223 | Workstation | 50657 | BF |
9th Generation Intel® Core™ Processor Family | Intel® Core™ Processor i9-9980HK, 9880H | Mobile | 906ED | 22 |
9th Generation Intel® Core™ Processor Family | Intel® Core™ Processor i9-9900K, i9-9900KF Intel® Core™ Processor i7-9700K, i7-9700KF Intel® Core™ Processor i5-9600K, i5-9600KF, i5-9400, i5-9400F | Desktop | 906ED | 22 |
Intel® Xeon® Processor E Family | Intel® Xeon® Processor E-2288G, E-2286M, E-2278GEL, E-2278GE, E-2278G | Workstation/ Server / AMT Server | 906ED | 22 |
10th Generation Intel® Core™ Processor Family Intel® Pentium® Gold Processor Series Intel® Celeron® Processor 5000 Series | Intel® Core™ Processor i7-10510U Intel® Core™ Processor i5-10210U Intel® Pentium® Gold Processor 6405U Intel® Celeron® Processor 5305U | Mobile | 806EC | 94 |
8th Generation Intel® Core™ Processors | Intel® Core™ Processor i7-8565U, i7-8665U Intel® Core™ Processor i5-8365U, i5-8265U | Mobile | 806EC | 94 |