[ubuntu-hardened] 16.04 LTS Release: L1 Terminal Fault (L1TF) vulnerability mitigation.

daniel curtis sidetripping at gmail.com
Thu Aug 16 16:05:51 UTC 2018 

Hello.

On Tue. Aug. 14, Linux kernel available in "Xenial" release, has been
updated to v4.4.0-133-generic version. This update is based on the
upstream v4.4.134 and fixes some speculation issues, mainly related to
the "L1 Terminal Fault (L1TF)" vulnerability etc. The most important
information is: all CPU's, which are not vulnerable to the "Meltdown"
issue are not also vulnerable to "L1TF". That's good.

I don't want to describe this issue, because there is a plenty of
great papers and documentations - for example - wrote by Researchers
who discovered the problem. Because this issue is Intel-specific and
one of my testing computer is running such processor, I would like to
ask a question about mitigation result.

Anyway, it seems, that mentioned processor is protected. Here is a
complete result of what '/sys/devices/system/cpu/vulnerabilities/l1tf'
file contains:

$ cat /sys/devices/system/cpu/vulnerabilities/l1tf
Mitigation: PTE Inversion; VMX: EPT disabled

According to one of the commit (please see 1.), "If EPT is disabled,
L1TF cannot be exploited even across threads on the same core, and SMT
is irrelevant." As we can see above, 'EPT' is reported as disabled,
right? So, what do you think about above result? Everything is okay
and 'L1TF' is mitigated?

I have also an additional question: should I use/add some kernel
parameters via command line? I'm thinking - for example - about
'kvm-intel.vmentry_l1d_flush'. This option provide mitigation for "L1
Terminal Fault" and offers some valid arguments:

✗ never
✗ cond
✗ always

Default value is 'cond' (for more informations about how above options
works and how do they mitigate "L1 Terminal Fault" issue, please see
2.)

Important thing worth to mention: mentioned kernel is 32bit and 'PAE'
compiled. I know, that it's not a good information, but there is a
patch to increase 32bit 'PAE' '__PHYSICAL_PAGE_SHIFT' to 52 to match
64bit. (Limit for 32bit 'PAE' kernel is 44 bits). And in a near
future, it will be changed to 64bit etc.

So, I have two questions: 1/ is 'l1tf' file result okay and processor
is protected? 2/ should there be used some kernel parameters via
command line or kernel will decide by itself?

Thanks, best regards.
_____________________
1. https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/xenial/commit/?id=b2fea1afd6b01e432b331a1db6f9637786e1edce
2. https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/xenial/commit/?id=4fa3dc8219ab63fcbf93f99e52a6f64dd21806bd

More information about the ubuntu-hardened mailing list