Windows & Linux get options to disable Intel TSX to prevent Zombieload v2 attacks

Disclosure of new Zombieload v2 vulnerability prompts OS makers to react with ways to disable Intel's TSX technology.

Intel CPU

Both Microsoft and the Linux kernel teams have added ways to disable support for Intel Transactional Synchronization Extensions (TSX).

TSX is the Intel technology that opens the company's CPUs to attacks via the Zombieload v2 vulnerability.

Zombieload v2 is the codename of a vulnerability that allows malware or a malicious threat actor to extract information processed inside a CPU, information to which they normally shouldn't be able to access due to the security walls present inside modern-day CPUs.

This new vulnerability was disclosed earlier this week. Intel said it would release microcode (CPU firmware) updates -- available on the company's Support & Downloads center.

But, the reality of a real-world production environment is that performance matters. Past microcode updates for other attacks, such as Meltdown, Spectre, Foreshadow, Fallout, and Zombieload v1, have been known to introduce performance hits of up to 40%.

Seeing that all the CPU attacks listed above are not only theoretical but also hard to pull off, some companies don't see this performance hit as an option.

Many skip on applying the microcode updates, or even if they do, they also disable the technology that allows the attack surface, if they're not using it, just to be sure they're not impacted by any attacks or performance slowdowns.

Earlier this week, Microsoft published guidance on how system administrators can do so with Intel's TSX, using registry keys.

They can disable TSX via the following registry setting:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel" /v DisableTsx /t REG_DWORD /d 1 /f

When they need TSX again, they can re-enable it via the following:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel" /v DisableTsx /t REG_DWORD /d 0 /f

On Linux systems where administrators have applied Intel's microcode updates, there is also now a model-specific register (MSR) that can be used to disable TSX. Details here.

TSX has been shipping with Intel CPUs since the release of the Haswell line in 2013. According to Intel's official security advisory, the following CPU series are impacted:

Product Collection

Product Names

Vertical Segment

CPUID

Platform ID

10th Generation Intel® Core™ Processor Family

Intel® Core™ Processor i7-10510Y, i5-10310Y
Intel® Core™ Processor i5-10210Y, i5-10110Y

Intel® Core™ Processor i7-8500Y

Intel® Core™ Processor i5-8310Y, i5-8210Y, i5-8200Y
Intel® Core™ Processor m3-8100Y

Mobile

806EC

94

2nd Generation Intel® Xeon® Scalable Processors

Intel® Xeon® Platinum Processor 8253, 8256, 8260, 8260L, 8260M, 8260Y, 8268, 8270, 8276, 8276L, 8276M, 8280, 8280L, 8280M, 9220, 9221, 9222, 9242, 9282

Intel® Xeon® Gold Processor 5215, 5215L, 5215M, 5215R, 5217, 5218, 5218B, 5218N, 5218T, 5220, 5220R, 5220S, 5220T, 5222, 6222V, 6226, 6230, 6230N, 6230T, 6234, 6238, 6238L, 6238M, 6238T, 6240, 6240L, 6240M, 6240Y, 6242, 6244, 6246, 6248, 6252, 6252N, 6254, 6262V

Intel® Xeon® Silver Processor 4208, 4208R, 4209T, 4210, 4210R, 4214, 4214C, 4214R, 4214Y, 4215, 4216, 4216R

Intel® Xeon® Bronze Processor 3204, 3206R

Server

50657

BF

Intel® Xeon® W Processor Family

Intel® Xeon® Processor W-3275M, W-3275, W-3265M, W-3265, W-3245M, W-3245, W-3235, W-3225, W-3223, W-2295, W-2275, W-2265, W-2255, W-2245, W-2235, W-2225, W-2223

Workstation

50657

BF

9th Generation Intel® Core™ Processor Family

Intel® Core™ Processor i9-9980HK, 9880H
Intel® Core™ Processor i7-9850H, 9750HF
Intel® Core™ Processor i5-9400H, 9300H

Mobile

906ED

22

9th Generation Intel® Core™ Processor Family

Intel® Core™ Processor i9-9900K, i9-9900KF

Intel® Core™ Processor i7-9700K, i7-9700KF

Intel® Core™ Processor i5-9600K, i5-9600KF, i5-9400, i5-9400F

Desktop

906ED

22

Intel® Xeon® Processor E Family

Intel® Xeon® Processor E-2288G, E-2286M, E-2278GEL, E-2278GE, E-2278G

Workstation/ Server /  AMT Server

906ED

22

10th Generation Intel® Core™ Processor Family

Intel® Pentium® Gold Processor Series

Intel® Celeron® Processor 5000 Series

Intel® Core™ Processor i7-10510U

Intel® Core™ Processor i5-10210U

Intel® Pentium® Gold Processor 6405U

Intel® Celeron® Processor 5305U

Mobile

806EC

94

8th Generation Intel® Core™ Processors

Intel® Core™ Processor i7-8565U, i7-8665U

Intel® Core™ Processor i5-8365U, i5-8265U

Mobile

806EC

94