Security Vulnerability: "L1 Terminal Fault" (L1TF) – Hypervisor Information (CVE-2018-3620, CVE-2018-3646, XSA-273).
This document (7023078) is provided subject to the disclaimer at the end of this document.
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 11
Updated Intel microcode (provided through your hardware / BIOS vendor or by SUSE) introduces a new feature called “flush_l1d”. Hypervisors and bare-metal kernels use this feature to flush the L1 data cache during operations which may be susceptible to data leakage (e.g. when switching between VMs in Hypervisor environments).
Software mitigations exist for the Linux Kernel and for Hypervisors. These mitigations include support for new CPU features, passing these features to guests, and support for enabling/disabling/tuning the mitigations. Recommended mitigations vary depending on the environment.
KVMFor KVM host environments, mitigation can be achieved through L1D cache flushes, and/or disabling Extended Page Tables (EPT) and Simultaneous MultiThreading (SMT).
kvm-intel.vmentry_l1d_flush=alwaysThe default setting here is "cond".
The L1D cache is flushed on every VMENTER.
The L1D cache is flushed on VMENTER only when there can be leak of host memory between VMEXIT and VMENTER. This could still leak some host data, like address space layout.
Disables the L1D cache flush mitigation.
The l1tf "full" setting overrides the settings of this configuration variable.
L1TF can be used to bypass Extended Page Tables (EPT). To mitigate this risk, it is possible to disable EPT and use shadow pages instead. This mitigation is available through the "kvm-intel.ept" option:
The Extended Page tables support is switched off.
To eliminate the risk of untrusted processes or guests exploiting this vulnerability on a sibling hyper-thread, Simultaneous MultiThreading (SMT) can be disabled completely.
On the kernel boot command line:
nosmtIf this option is not passed, SMT is enabled. Any SMT options used with the "l1tf" kernel parameter option overrides this “nosmt” option.
SMT is disabled, but can be later re-enabled in the system.
SMT is disabled, and can not be re-enabled in the system.
SMT can also be controlled through sysfs:
This file allows to read the current control state and allows to disable or (re)enable SMT.
Possible states are:
SMT is supported and enabled.
SMT is supported, but disabled. Only primary SMT threads can be onlined.
SMT is supported, but disabled. Further control is not possible.
SMT is not supported.
Potential values that can be written into this file:on
This file contains the state of SMT, if it is enabled and active, where active means that multiple threads run on 1 core.
NOTE – Efforts are ongoing to implement scheduling improvements that allow hyper-thread siblings to be restricted to threads from a single guest. This will reduce the exposure of L1TF, and the requirement to disable SMT in many environments.
Bare Metal and KVM
/sys/devices/system/cpu/vulnerabilities/l1tfIf this file is not present, the kernel does not support this mitigation.
Not affectedThe processor is not affected by this problem.Mitigation: PTE InversionIn-kernel protection is active.
If KVM / VMX is enabled in the kernel, the following strings can appear appended to the strings above :
VMX: SMT vulnerableSMT is enabled and vulnerableVMX: SMT disabledSMT is disabled
L1D vulnerableL1D flushing is disabledL1D conditional cache flushesL1D flush is conditionally enabled, flushing conditionally after exiting VMsL1D cache flushesL1D flush is unconditionally enabled, flushing unconditionally before entering VMsL1D EPT disabledL1D flush is disabled, as Extended Page Tables are either not present or disabled
# xl dmesg | grep -A7 Speculative
This output shows the state of L1TF in three separate lines.
# xl dmesg | grep -A7 Speculative
(XEN) Speculative mitigation facilities:
(XEN) Hardware features: IBRS/IBPB STIBP L1D_FLUSH SSBD
(XEN) Compiled-in support: INDIRECT_THUNK SHADOW_PAGING
(XEN) Xen settings: BTI-Thunk JMP, SPEC_CTRL: IBRS+ SSBD-, Other: IBPB L1D_FLUSH
(XEN) L1TF: believed vulnerable, maxphysaddr L1D 46, CPUID 46, Safe address 300000000000
(XEN) Support for VMs: PV: MSR_SPEC_CTRL RSB EAGER_FPU, HVM: MSR_SPEC_CTRL RSB EAGER_FPU
(XEN) XPTI (64-bit PV only): Dom0 enabled, DomU enabled
(XEN) PV L1TF shadowing: Dom0 disabled, DomU enabled
KVM and Xen guest level mitigation matches that of the Linux kernel, and can be viewed through the sysfs interface (/sys/devices/system/cpu/vulnerabilities/l1tf).
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7023078
- Creation Date:11-JUN-18
- Modified Date:29-AUG-18
- SUSESUSE Linux Enterprise Server