This fetch must be done early enough so it must occur in hammer_time().

yes, please use the cpu_stdext_feature. This var can be overwritten by user in emergency as well.

I think you need to check the existing value of hw_mds_disable. If it is non-zero, do not touch it. If it is zero, setting it to 1 (VERW) might not work simply because the right microcode is not loaded. 3 (auto) might be more reasonable value.

My intent was to assume that hw_mds_recalculate() would determine the correct state. If this code asks for VERW but that can't be done, then it'll just fail anyways.

we should really use positive sense sysctls

Agreed, but I propose that we do a sweep and rename all of the nearby and related knobs. For now, hw.tsx_disable is consistent with the others, which I think it important.

It's not exactly, because mds_disable is actually enabling a workaround - we could rename it mds_workaround_enable and the values the user sets it to do not change.

If tsx_disable becomes tsx_enable the setting also has to change.

maybe /* CPU is not susceptible to TAA */

/* CPU is susceptible to TAA and has the ability to disable TSX */

I'm not sure that "inactive" is the right name for this, should probably be "TSX not disabled"?

Just "VERW"?

hw_mds_disable is user-controlled, and user settings should be honored IMO.

This is one of the reason why I proposed to merge taa and mds recalculation functions.

I think the name here needs to be changed to taa_disable. The intention is to mitigate the TSX Async Abort vulnerability, not necessarily just general purpose TSX feature control.

Why use ints and implicit convertions ? We have true/false constant symbols in C99.

Indeed, but is it not usable as a general TSX disable control? I.e., if in the future another problem is found with TSX we could still use this to turn it off?

How would it work if a user specified VERW for TAA and SW for MDS? Maybe these can be merged in the future, but for now I would like to keep them separate, and enforce that TAA is a superset of MDS, as stated in the review summary.

What you've described are two states that can be mutually exclusive.

hw.x86.mitigations.taa is my proposal. 0 = no mitigation, 1 = TSX-disable, 2 = VERW, 3 = auto

In this case you need somehow merge them, and this is easier to do in the merged function.

But I think that you should either not allow that fine control over taa (e.g. only provide disabled/mds/tsx variants of mitigation).

Or even better, further along lines of merged mds/taa handling, do not introduce separate knob to taa. Consider taa action as continuation of mds. For instance, auto would mean: if both MDS_NO and TAA_NO, do nothing. If MDS requires VERW, _or_ TAA requires VERW, it is VERW. If VERW is not available, it is microarch-specific code sequences.

I agree that this maybe could be better, but trying to handle MDS_NO, TAA_NO, TSX_CTRL feature bits (not to mention the MDS and RTM/HLE presence bits) as well as VERW vs software mitigation, is a very complex logic table. I'd like to keep it more simple for now, and consider combining in the future.

But this case here (where we set tsx_need = TSX_TAA_DISABLE) is exactly that - the CPU is susceptible to TAA, and can turn off TSX.

I think that this is handled by the OID renaming