Lines Matching +full:single +full:- +full:cpu +full:- +full:affinity
1 L1TF - L1 Terminal Fault
10 -------------------
15 - Processors from AMD, Centaur and other non Intel vendors
17 - Older processor models, where the CPU family is < 6
19 - A range of Intel ATOM processors (Cedarview, Cloverview, Lincroft,
22 - The Intel XEON PHI family
24 - Intel processors which have the ARCH_CAP_RDCL_NO bit set in the
25 IA32_ARCH_CAPABILITIES MSR. If the bit is set the CPU is not affected
33 ------------
38 CVE-2018-3615 L1 Terminal Fault SGX related aspects
39 CVE-2018-3620 L1 Terminal Fault OS, SMM related aspects
40 CVE-2018-3646 L1 Terminal Fault Virtualization related aspects
44 -------
66 ----------------
74 In some cases user-space can maliciously influence the information
120 -----------------------
126 /sys/devices/system/cpu/vulnerabilities/l1tf
138 - SMT status:
145 - L1D Flush mode:
159 -------------------------
166 ---------------------------
188 - conditional ('cond')
189 - unconditional ('always')
223 If only a single guest or related guests run on sibling SMT threads on
232 declared as non-interesting for an attacker without deep inspection of
237 negative effects on CPU utilization depending on the hosting
241 For further information about confining guests to a single or to a group
244 https://www.kernel.org/doc/Documentation/admin-guide/cgroup-v1/cpusets.rst
248 3. Interrupt affinity
252 true because there are types of interrupts which are truly per CPU
254 devices affine their interrupts to single CPUs or groups of CPUs per
257 Moving the interrupts, which can be affinity controlled, away from CPUs
267 Interrupt affinity can be controlled by the administrator via the
271 https://www.kernel.org/doc/Documentation/core-api/irq/irq-affinity.rst
294 core only one - the so called primary (hyper) thread is
306 - /sys/devices/system/cpu/smt/control
307 - /sys/devices/system/cpu/smt/active
309 /sys/devices/system/cpu/smt/control:
315 on SMT is supported by the CPU and enabled. All
319 off SMT is supported by the CPU and disabled. Only
322 online a non-primary sibling is rejected
335 - on
336 - off
337 - forceoff
339 /sys/devices/system/cpu/smt/active:
357 EPT can be disabled in the hypervisor via the 'kvm-intel.ept' parameter.
365 ---------------------------------------------
418 Mitigation control for KVM - module parameter
419 -------------------------------------------------------------
424 The option/parameter is "kvm-intel.vmentry_l1d_flush=". It takes the
445 line, then 'always' is enforced and the kvm-intel.vmentry_l1d_flush
451 --------------------------
491 EPT can be disabled in the hypervisor via the 'kvm-intel.ept' parameter.
499 - L1D flushing on VMENTER:
507 - Guest confinement:
509 Confinement of guests to a single or a group of physical cores which
515 - Interrupt isolation:
521 affinity to the CPUs which run the untrusted guests can depending on
531 - Disabling SMT:
538 parameters 'nosmt', 'l1tf', 'kvm-intel.vmentry_l1d_flush' and at run
543 - Disabling EPT:
550 EPT can be disabled in the hypervisor via the 'kvm-intel.ept'
562 - Flush the L1D cache on every switch from the nested hypervisor to the
566 - Flush the L1D cache on every switch from the nested virtual machine to
571 - Instruct the nested hypervisor to not perform any L1D cache flush. This
578 -------------------
582 - PTE inversion to protect against malicious user space. This is done
586 - L1D conditional flushing on VMENTER when EPT is enabled for
594 - Force disabling SMT can break existing setups, especially with
597 - If regular users run untrusted guests on their machine, then L1TF is
599 guest, e.g. spam-bots or attacks on the local network.
604 - It's technically extremely unlikely and from today's knowledge even
610 - The administrators of cloud and hosting setups have to carefully