Today, the security community and industry vendors revealed information about a hardware security vulnerability called “L1 Terminal fault”. Very similar to Meltdown in its nature, the vulnerability is sensitive to a side-channel-attack during speculative execution, and may lead to the disclosure of otherwise protected data. While a full resolution can only be provided on the hardware level, Operating Systems can assist in limiting the impact of the vulnerability.
SUSE will provide updates to all SUSE Linux Enterprise systems, including MicroOS as part of SUSE CaaS Platform, under general and LTSS support. Detailed information about the availability of these updates can be found in the SUSE Technical Information Documents TID 7023077 and TID 7023078.
Similar to Meltdown and Spectre, the impact of the L1 Terminal Fault depends on the customer specific environment. As a guideline, please see the following scenarios:
|Bare Metal deployment||Xen paravirtualized||KVM and Xen fully virtualized environment|
|Trusted Guests||Untrusted Guests|
|Without patches||Needs patches||Needs patches||Needs patches||Needs patches|
|Kernel/Hypervisor patches applied||May need guest patches (untrusted users)||Requires customer decision/choice|
In general, bare metal deployments, including container environments on bare metal, are secure once all SUSE provided patches have been applied. SUSE also considers virtual deployments secure, where the guests are under full control of our customers and partners.
In virtualized environments, where customers are not in full control of the guest operating system, it may be necessary to limit the SMT capabilities of the system to one thread per core or to disable Extended Page Tables (EPT). Depending on the application stack, each mitigation may have an impact on the overall system performance.
Customers are advised to review their environment and threat vectors together with their security team.
Additional details on the specific vulnerabilities are posted in the CVE reports:
As research on these issues continue across the industry, additional optimizations and information may emerge. We will continually provide updated details in this blog and on the pages referenced above. We would like to thank all those in the upstream Linux Kernel Community and our industry partners whose passion, dedication and collaboration were critical in addressing this issue.