l1tf.rst - OpenGrok cross reference for /linux/Documentation/admin-guide/hw-vuln/l1tf.rst

Lines Matching +full:multi +full:- +full:processors
1 L1TF - L1 Terminal Fault
9 Affected processors
10 -------------------
12 This vulnerability affects a wide range of Intel processors. The
15    - Processors from AMD, Centaur and other non Intel vendors
17    - Older processor models, where the CPU family is < 6
19    - A range of Intel ATOM processors (Cedarview, Cloverview, Lincroft,
22    - The Intel XEON PHI family
24    - Intel processors which have the ARCH_CAP_RDCL_NO bit set in the
33 ------------
38    CVE-2018-3615  L1 Terminal Fault  SGX related aspects
39    CVE-2018-3620  L1 Terminal Fault  OS, SMM related aspects
40    CVE-2018-3646  L1 Terminal Fault  Virtualization related aspects
44 -------
66 ----------------
74    In some cases user-space can maliciously influence the information
95    multi threading (SMT). The Intel implementation of SMT is called
96    HyperThreading. The fact that Hyperthreads on the affected processors
120 -----------------------
138   - SMT status:
145   - L1D Flush mode:
159 -------------------------
166 ---------------------------
188     - conditional ('cond')
189     - unconditional ('always')
203    defaults to conditional mode on affected processors.
232    declared as non-interesting for an attacker without deep inspection of
244    https://www.kernel.org/doc/Documentation/admin-guide/cgroup-v1/cpusets.rst
253    interrupts, e.g. the local timer interrupt. Aside of that multi queue
271    https://www.kernel.org/doc/Documentation/core-api/irq/irq-affinity.rst
294 		 core only one - the so called primary (hyper) thread is
295 		 activated. Due to a design flaw of Intel processors related
306    - /sys/devices/system/cpu/smt/control
307    - /sys/devices/system/cpu/smt/active
322 			online a non-primary sibling is rejected
335      - on
336      - off
337      - forceoff
357   EPT can be disabled in the hypervisor via the 'kvm-intel.ept' parameter.
365 ---------------------------------------------
418 Mitigation control for KVM - module parameter
419 -------------------------------------------------------------
424 The option/parameter is "kvm-intel.vmentry_l1d_flush=". It takes the
445 line, then 'always' is enforced and the kvm-intel.vmentry_l1d_flush
451 --------------------------
491   EPT can be disabled in the hypervisor via the 'kvm-intel.ept' parameter.
499   - L1D flushing on VMENTER:
507   - Guest confinement:
515   - Interrupt isolation:
531   - Disabling SMT:
538     parameters 'nosmt', 'l1tf', 'kvm-intel.vmentry_l1d_flush' and at run
543   - Disabling EPT:
550     EPT can be disabled in the hypervisor via the 'kvm-intel.ept'
562  - Flush the L1D cache on every switch from the nested hypervisor to the
566  - Flush the L1D cache on every switch from the nested virtual machine to
571  - Instruct the nested hypervisor to not perform any L1D cache flush. This
578 -------------------
580   The kernel default mitigations for vulnerable processors are:
582   - PTE inversion to protect against malicious user space. This is done
586   - L1D conditional flushing on VMENTER when EPT is enabled for
594   - Force disabling SMT can break existing setups, especially with
597   - If regular users run untrusted guests on their machine, then L1TF is
599     guest, e.g. spam-bots or attacks on the local network.
604   - It's technically extremely unlikely and from today's knowledge even
610   - The administrators of cloud and hosting setups have to carefully