At SUSE we've been releasing our kernels with TSX enabled for the past 6
years and some customers have started to rely on it. Furthermore, the last
known vulnerability concerning TSX was TAA (CVE-2019-11135) and a
significant amount time has passed since then without anyone reporting any
issues. Intel has released numerous processors which do not have the
TAA vulnerability (Cooper/Ice Lake, Sapphire/Emerald/Granite Rappids)
yet TSX remains being disabled by default.

The main aim of this patch is to reduce the divergence between SUSE's
configuration and the upstream by switching the default TSX mode to
auto. I believe this strikes the right balance between keeping it
enabled where appropriate (i.e every machine which doesn't contain the
TAA vulnerability) and disabling it preventively.

Signed-off-by: Nikolay Borisov <nik.borisov@suse.com>
---

Changes since v2:

 * Reworded the changelog log to hopefully make it clear that this has been in
 use for quite some time.
 arch/x86/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index fa3b616af03a..83f5132e2212 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1812,7 +1812,7 @@ config ARCH_PKEY_BITS
 choice
 	prompt "TSX enable mode"
 	depends on CPU_SUP_INTEL
-	default X86_INTEL_TSX_MODE_OFF
+	default X86_INTEL_TSX_MODE_AUTO
 	help
 	  Intel's TSX (Transactional Synchronization Extensions) feature
 	  allows to optimize locking protocols through lock elision which
--
2.51.1

On 11/12/25 11:05, Nikolay Borisov wrote:
> At SUSE we've been releasing our kernels with TSX enabled for the past 6
> years and some customers have started to rely on it. Furthermore, the last
> known vulnerability concerning TSX was TAA (CVE-2019-11135) and a
> significant amount time has passed since then without anyone reporting any
> issues. Intel has released numerous processors which do not have the
> TAA vulnerability (Cooper/Ice Lake, Sapphire/Emerald/Granite Rappids)
> yet TSX remains being disabled by default.
> 
> The main aim of this patch is to reduce the divergence between SUSE's
> configuration and the upstream by switching the default TSX mode to
> auto. I believe this strikes the right balance between keeping it
> enabled where appropriate (i.e every machine which doesn't contain the
> TAA vulnerability) and disabling it preventively.

This seems pretty sane to me. TSX is far less scary than it once was. It
seemed to be a key part of a bunch of the speculation gadgets at some
point, but having it off by default doesn't really seem to have slowed
anyone down.

Plus, this won't even change anyone's builds that has a .config from the
last 5 years.

Does anyone feel differently?

On 12.11.25 г. 21:13 ч., Dave Hansen wrote:
> On 11/12/25 11:05, Nikolay Borisov wrote:
>> At SUSE we've been releasing our kernels with TSX enabled for the past 6
>> years and some customers have started to rely on it. Furthermore, the last
>> known vulnerability concerning TSX was TAA (CVE-2019-11135) and a
>> significant amount time has passed since then without anyone reporting any
>> issues. Intel has released numerous processors which do not have the
>> TAA vulnerability (Cooper/Ice Lake, Sapphire/Emerald/Granite Rappids)
>> yet TSX remains being disabled by default.
>>
>> The main aim of this patch is to reduce the divergence between SUSE's
>> configuration and the upstream by switching the default TSX mode to
>> auto. I believe this strikes the right balance between keeping it
>> enabled where appropriate (i.e every machine which doesn't contain the
>> TAA vulnerability) and disabling it preventively.
> 
> This seems pretty sane to me. TSX is far less scary than it once was. It
> seemed to be a key part of a bunch of the speculation gadgets at some
> point, but having it off by default doesn't really seem to have slowed
> anyone down.
> 
> Plus, this won't even change anyone's builds that has a .config from the
> last 5 years.
> 
> Does anyone feel differently?

So at the end of the day what is the status of this, will it get merged?