Intel Disabling TSX On Certain CPUs, Skylake And Coffee Lake Affected

Intel recently introduced a microcode update to their CPUs earlier this month included in a recent update to it's developer guide. Interestingly, Intel has begun to disable the Transactional Synchronization Extensions (TSX) with this new microcode on certain processor families (on both Windows and Linux) such as Skylake and Coffee Lake CPUs.

First, we need to discuss what TSX does for your processor.

Intel® Transactional Synchronization Extensions (Intel® TSX) allow the processor to determine dynamically whether threads need to serialize through lock-protected critical sections, and to perform serialization only when required. This lets the processor to expose and exploit concurrence hidden in an application due to dynamically unnecessary synchronization.

Intel® C++ Compiler Classic Developer Guide and Reference

When utilizing the TSX, benchmarks of certain workloads showed an increase of as much as 40% more efficiency and four to five times faster database transactions. By removing the extension, there will be a mild drop in the CPU's processing if you are someone that is using these workloads and update to the latest microcode. However, considering the security implications of leaving it running - most security-conscious enterprises would have turned it off already.

Intel's TSX has had notable deficiencies and vulnerabilities in the past: one affecting KASLR in Linux for example. KASLR, or Kernel Address Space Randomization, activates randomization for physical and virtual addresses where the kernel's image is decompressing. In turn, this prevents security exploits to the kernel. In addition, Microarchitectural Data Sampling (MDS) attacks can also occur, allowing vulnerability for hackers to access recent system information that can only be accessed by other virtual machines or to the kernel.

Website Phoronix reports that Intel has been aware of the issue as far back as 2018. With the rollout of this new microcode in the Linux 5.14 cycle patches, they are not only repairing security issues but also starting to disable TSX on the following:

Xeon D and first generation Xeon Scalable CPUs

Certain Skylake Xeon CPUs

Sixth generation Xeon E3-1500M V5 and E3-1200 V5 Skylake CPUs

Some seventh and eighth generation Core and Pentium Coffee, Kaby, and Whiskey CPUs

Eighth and ninth generation Core and Pentium Coffee Lake CPUs

Tenth generation Coffee and Ice Lake CPUs

It is also noted that Intel is not only disabling TSX on some CPUs, but they are also removing access and disabling Real Time Monitoring (RTM) to those affected. RTM is used to gather RAM, CPU, RAID, and disk information as well as hardware information immediately.

We are already seeing newer CPUs rolling out with the depreciation of TSX, as well as those systems utilizing TAA (TSX Async Abort) mitigations as far back as the latter half of 2019.

Source: Phoronix, Intel