Intel recently introduced a microcode update to their CPUs earlier this month included in a recent update to it's developer guide. Interestingly, Intel has begun to disable the Transactional Synchronization Extensions (TSX) with this new microcode on certain processor families (on both Windows and Linux) such as Skylake and Coffee Lake CPUs.
How does the removal of TSX by Intel affect general-purpose computing?
First, we need to discuss what TSX does for your processor.
Intel® Transactional Synchronization Extensions (Intel® TSX) allow the processor to determine dynamically whether threads need to serialize through lock-protected critical sections, and to perform serialization only when required. This lets the processor to expose and exploit concurrence hidden in an application due to dynamically unnecessary synchronization.
When utilizing the TSX, benchmarks of certain workloads showed an increase of as much as 40% more efficiency and four to five times faster database transactions. By removing the extension, there will be a mild drop in the CPU's processing if you are someone that is using these workloads and update to the latest microcode. However, considering the security implications of leaving it running - most security-conscious enterprises would have turned it off already.
Why is Intel disabling TSX by default on processors?
Intel's TSX has had notable deficiencies and vulnerabilities in the past: one affecting KASLR in Linux for example. KASLR, or Kernel Address Space Randomization, activates randomization for physical and virtual addresses where the kernel's image is decompressing. In turn, this prevents security exploits to the kernel. In addition, Microarchitectural Data Sampling (MDS) attacks can also occur, allowing vulnerability for hackers to access recent system information that can only be accessed by other virtual machines or to the kernel.
Website Phoronix reports that Intel has been aware of the issue as far back as 2018. With the rollout of this new microcode in the Linux 5.14 cycle patches, they are not only repairing security issues but also starting to disable TSX on the following:
- Xeon D and first generation Xeon Scalable CPUs
- Certain Skylake Xeon CPUs
- Sixth generation Xeon E3-1500M V5 and E3-1200 V5 Skylake CPUs
- Some seventh and eighth generation Core and Pentium Coffee, Kaby, and Whiskey CPUs
- Eighth and ninth generation Core and Pentium Coffee Lake CPUs
- Tenth generation Coffee and Ice Lake CPUs
It is also noted that Intel is not only disabling TSX on some CPUs, but they are also removing access and disabling Real Time Monitoring (RTM) to those affected. RTM is used to gather RAM, CPU, RAID, and disk information as well as hardware information immediately.
We are already seeing newer CPUs rolling out with the depreciation of TSX, as well as those systems utilizing TAA (TSX Async Abort) mitigations as far back as the latter half of 2019.