应启用 L1D 无条件刷新以完全缓解该漏洞 (CVE-2018-3646)

我做了一些挖掘，文档中的这个漏洞被称为：

L1TF = L1 端子故障

其实我找到了直接内核文档，引用：

l1tf=   [X86] Control mitigation of the L1TF vulnerability on
        affected CPUs

        The kernel PTE inversion protection is unconditionally
        enabled and cannot be disabled.

        full
            Provides all available mitigations for the
            L1TF vulnerability. Disables SMT and
            enables all mitigations in the
            hypervisors, i.e. unconditional L1D flush.

            SMT control and L1D flush control via the
            sysfs interface is still possible after
            boot.  Hypervisors will issue a warning
            when the first VM is started in a
            potentially insecure configuration,
            i.e. SMT enabled or L1D flush disabled.

        full,force
            Same as 'full', but disables SMT and L1D
            flush runtime control. Implies the
            'nosmt=force' command line option.
            (i.e. sysfs control of SMT is disabled.)

        flush
            Leaves SMT enabled and enables the default
            hypervisor mitigation, i.e. conditional
            L1D flush.

            SMT control and L1D flush control via the
            sysfs interface is still possible after
            boot.  Hypervisors will issue a warning
            when the first VM is started in a
            potentially insecure configuration,
            i.e. SMT enabled or L1D flush disabled.

        flush,nosmt

            Disables SMT and enables the default
            hypervisor mitigation.

            SMT control and L1D flush control via the
            sysfs interface is still possible after
            boot.  Hypervisors will issue a warning
            when the first VM is started in a
            potentially insecure configuration,
            i.e. SMT enabled or L1D flush disabled.

        flush,nowarn
            Same as 'flush', but hypervisors will not
            warn when a VM is started in a potentially
            insecure configuration.

        off
            Disables hypervisor mitigations and doesn't
            emit any warnings.
            It also drops the swap size and available
            RAM limit restriction on both hypervisor and
            bare metal.

        Default is 'flush'.

        For details see: Documentation/admin-guide/hw-vuln/l1tf.rst

---

我尝试了其中一些选项，最终得到了full,force.但这只是我个人的选择。

---

如何使用

如果您现在问如何使用（编辑什么），那么答案是：

1. 使用您喜欢的文本编辑器编辑以下文件：

   /etc/default/grub
   

2. 添加选项之一，例如让我使用l1tf=full,force, 到这一行：

   GRUB_CMDLINE_LINUX_DEFAULT="... l1tf=full,force"
   

3. 使用以下命令更新您的引导加载程序配置：

   sudo update-grub
   

4. 更改在重启后生效：

   reboot --reboot
   

---

结果

如果您决定继续测试此解决方案，您最终应该得到类似的结果：

CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
* Information from the /sys interface: Mitigation: PTE Inversion; VMX: cache flushes, SMT disabled
* This system is a host running a hypervisor:  YES  (paranoid mode)
* Mitigation 1 (KVM)
  * EPT is disabled:  NO 
* Mitigation 2
  * L1D flush is supported by kernel:  YES  (found flush_l1d in /proc/cpuinfo)
  * L1D flush enabled:  YES  (unconditional flushes)
  * Hardware-backed L1D flush supported:  YES  (performance impact of the mitigation will be greatly reduced)
  * Hyper-Threading (SMT) is enabled:  NO 
> STATUS:  NOT VULNERABLE  (L1D unconditional flushing and Hyper-Threading disabled are mitigating the vulnerability)

超高清图像可以放大：

---

斯蒂芬·基特的笔记

L1TF 特定内容也值得阅读内核文档，其中详细解释了漏洞和缓解措施，并解释了如何启用和禁用缓解措施（包括禁用 SMT）在运行时，无需重新启动或更改系统配置。