应启用 L1D 无条件刷新以完全缓解该漏洞 (CVE-2018-3646)

Question

我使用的spectre-meltdown-checker是 0.42 版本，没有任何选项，结果是全绿色的。但是，在帮助页面中，我发现了这个--paranoid开关，这导致大约一半的后来的 CVE 变成了红色。我读到了它告诉我的内容，为了完全缓解，我必须禁用超线程，这让我有点害怕，所以我最好这样做，结果只剩下一个危险信号：CVE​​-2018-3646 = L1D 无条件应启用刷新以充分缓解该漏洞。

\n\n

---

\n\n

笔记本电脑：配备最新 BIOS 的 Dell Inspiron 15（1.8.0，详细信息链接）。

\n\n

处理器：Intel\xc2\xa9 Core\xe2\x84\xa2 i7-7700HQ（链接到英特尔方舟）。

\n\n

Linux 内核：4.15.0-65-generic；满的uname -a：

\n\n

Linux dell-7577 4.15.0-65-generic #74-Ubuntu SMP Tue Sep 17 17:06:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux\n

\n\n

为了完整起见，我添加了交换机帮助中的信息--paranoid：

\n\n

--paranoid      require IBPB to deem Variant 2 as mitigated\n                also require SMT disabled + unconditional L1D flush to deem Foreshadow-NG VMM as mitigated\n                also require SMT disabled to deem MDS vulnerabilities mitigated\n

\n\n

---

\n\n

CVE-2018-3646 aka \'Foreshadow-NG (VMM), L1 terminal fault\'\n* Information from the /sys interface: Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable\n* This system is a host running a hypervisor:  YES  (paranoid mode)\n* Mitigation 1 (KVM)\n  * EPT is disabled:  NO \n* Mitigation 2\n  * L1D flush is supported by kernel:  YES  (found flush_l1d in /proc/cpuinfo)\n  * L1D flush enabled:  YES  (conditional flushes)\n  * Hardware-backed L1D flush supported:  YES  (performance impact of the mitigation will be greatly reduced)\n  * Hyper-Threading (SMT) is enabled:  YES \n> STATUS:  VULNERABLE  (enable L1D unconditional flushing and disable Hyper-Threading to fully mitigate the vulnerability)\n

\n\n

---

\n\n

实际问题

\n\n

除了禁用超线程之外，如何启用这种无条件 L1D 刷新？

\n

Answer 1

我做了一些挖掘，文档中的这个漏洞被称为：

L1TF = L1 端子故障

其实我直接找到了内核文档，引用一下：

l1tf=   [X86] Control mitigation of the L1TF vulnerability on
        affected CPUs

        The kernel PTE inversion protection is unconditionally
        enabled and cannot be disabled.

        full
            Provides all available mitigations for the
            L1TF vulnerability. Disables SMT and
            enables all mitigations in the
            hypervisors, i.e. unconditional L1D flush.

            SMT control and L1D flush control via the
            sysfs interface is still possible after
            boot.  Hypervisors will issue a warning
            when the first VM is started in a
            potentially insecure configuration,
            i.e. SMT enabled or L1D flush disabled.

        full,force
            Same as 'full', but disables SMT and L1D
            flush runtime control. Implies the
            'nosmt=force' command line option.
            (i.e. sysfs control of SMT is disabled.)

        flush
            Leaves SMT enabled and enables the default
            hypervisor mitigation, i.e. conditional
            L1D flush.

            SMT control and L1D flush control via the
            sysfs interface is still possible after
            boot.  Hypervisors will issue a warning
            when the first VM is started in a
            potentially insecure configuration,
            i.e. SMT enabled or L1D flush disabled.

        flush,nosmt

            Disables SMT and enables the default
            hypervisor mitigation.

            SMT control and L1D flush control via the
            sysfs interface is still possible after
            boot.  Hypervisors will issue a warning
            when the first VM is started in a
            potentially insecure configuration,
            i.e. SMT enabled or L1D flush disabled.

        flush,nowarn
            Same as 'flush', but hypervisors will not
            warn when a VM is started in a potentially
            insecure configuration.

        off
            Disables hypervisor mitigations and doesn't
            emit any warnings.
            It also drops the swap size and available
            RAM limit restriction on both hypervisor and
            bare metal.

        Default is 'flush'.

        For details see: Documentation/admin-guide/hw-vuln/l1tf.rst

我尝试了其中一些选项，最终得到了full,force. 但这只是我个人的选择。

如何使用

如果您现在问如何使用（编辑什么），那么答案是：

1. 使用您喜欢的文本编辑器编辑以下文件：

   /etc/default/grub
   

2. 添加选项之一，例如让我使用l1tf=full,force, 到这一行：

   GRUB_CMDLINE_LINUX_DEFAULT="... l1tf=full,force"
   

3. 使用以下命令更新您的引导加载程序配置：

   sudo update-grub
   

4. 更改在重启后生效：

   reboot --reboot
   

结果

如果您决定继续测试此解决方案，您最终应该得到类似的结果：

CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
* Information from the /sys interface: Mitigation: PTE Inversion; VMX: cache flushes, SMT disabled
* This system is a host running a hypervisor:  YES  (paranoid mode)
* Mitigation 1 (KVM)
  * EPT is disabled:  NO 
* Mitigation 2
  * L1D flush is supported by kernel:  YES  (found flush_l1d in /proc/cpuinfo)
  * L1D flush enabled:  YES  (unconditional flushes)
  * Hardware-backed L1D flush supported:  YES  (performance impact of the mitigation will be greatly reduced)
  * Hyper-Threading (SMT) is enabled:  NO 
> STATUS:  NOT VULNERABLE  (L1D unconditional flushing and Hyper-Threading disabled are mitigating the vulnerability)

超高清图像可以放大：

斯蒂芬·基特的笔记

还值得阅读特定于 L1TF 的内核文档，其中详细解释了漏洞和缓解措施，并解释了如何在运行时启用和禁用缓解措施（包括禁用 SMT） ，而无需重新启动或更改系统配置。