应启用 L1D 无条件刷新以完全缓解该漏洞 (CVE-2018-3646)

应启用 L1D 无条件刷新以完全缓解该漏洞 (CVE-2018-3646)

我用的是spectre-meltdown-checker,版本 0.42,没有任何选项导致全绿色结果。但是,在帮助页面中,我发现了这个--paranoid开关,这导致大约一半的后来的 CVE 变成了红色。我读到它告诉我的内容,为了完全缓解我必须禁用超线程,这让我有点害怕,所以我最好这样做,结果是只有一个剩余的危险信号为 CVE-2018-3646 =应启用 L1D 无条件刷新以完全缓解该漏洞


笔记本电脑:配备最新 BIOS 的 Dell Inspiron 15(1.8.0、详细信息链接)。

处理器:Intel© Core™ i7-7700HQ(链接至英特尔方舟)。

Linux 内核:4.15.0-65-generic;满的uname -a

Linux dell-7577 4.15.0-65-generic #74-Ubuntu SMP Tue Sep 17 17:06:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

为了完整起见,我添加了交换机帮助中的信息--paranoid

--paranoid      require IBPB to deem Variant 2 as mitigated
                also require SMT disabled + unconditional L1D flush to deem Foreshadow-NG VMM as mitigated
                also require SMT disabled to deem MDS vulnerabilities mitigated

CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
* Information from the /sys interface: Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable
* This system is a host running a hypervisor:  YES  (paranoid mode)
* Mitigation 1 (KVM)
  * EPT is disabled:  NO 
* Mitigation 2
  * L1D flush is supported by kernel:  YES  (found flush_l1d in /proc/cpuinfo)
  * L1D flush enabled:  YES  (conditional flushes)
  * Hardware-backed L1D flush supported:  YES  (performance impact of the mitigation will be greatly reduced)
  * Hyper-Threading (SMT) is enabled:  YES 
> STATUS:  VULNERABLE  (enable L1D unconditional flushing and disable Hyper-Threading to fully mitigate the vulnerability)

实际问题

除了禁用超线程之外,如何启用它无条件 L1D 同花

答案1

我做了一些挖掘,文档中的这个漏洞被称为:

L1TF = L1 端子故障

其实我找到了直接内核文档,引用:

l1tf=   [X86] Control mitigation of the L1TF vulnerability on
        affected CPUs

        The kernel PTE inversion protection is unconditionally
        enabled and cannot be disabled.

        full
            Provides all available mitigations for the
            L1TF vulnerability. Disables SMT and
            enables all mitigations in the
            hypervisors, i.e. unconditional L1D flush.

            SMT control and L1D flush control via the
            sysfs interface is still possible after
            boot.  Hypervisors will issue a warning
            when the first VM is started in a
            potentially insecure configuration,
            i.e. SMT enabled or L1D flush disabled.

        full,force
            Same as 'full', but disables SMT and L1D
            flush runtime control. Implies the
            'nosmt=force' command line option.
            (i.e. sysfs control of SMT is disabled.)

        flush
            Leaves SMT enabled and enables the default
            hypervisor mitigation, i.e. conditional
            L1D flush.

            SMT control and L1D flush control via the
            sysfs interface is still possible after
            boot.  Hypervisors will issue a warning
            when the first VM is started in a
            potentially insecure configuration,
            i.e. SMT enabled or L1D flush disabled.

        flush,nosmt

            Disables SMT and enables the default
            hypervisor mitigation.

            SMT control and L1D flush control via the
            sysfs interface is still possible after
            boot.  Hypervisors will issue a warning
            when the first VM is started in a
            potentially insecure configuration,
            i.e. SMT enabled or L1D flush disabled.

        flush,nowarn
            Same as 'flush', but hypervisors will not
            warn when a VM is started in a potentially
            insecure configuration.

        off
            Disables hypervisor mitigations and doesn't
            emit any warnings.
            It also drops the swap size and available
            RAM limit restriction on both hypervisor and
            bare metal.

        Default is 'flush'.

        For details see: Documentation/admin-guide/hw-vuln/l1tf.rst

我尝试了其中一些选项,最终得到了full,force.但这只是我个人的选择。


如何使用

如果您现在问如何使用(编辑什么),那么答案是:

  1. 使用您喜欢的文本编辑器编辑以下文件:

    /etc/default/grub
    
  2. 添加选项之一,例如让我使用l1tf=full,force, 到这一行:

    GRUB_CMDLINE_LINUX_DEFAULT="... l1tf=full,force"
    
  3. 使用以下命令更新您的引导加载程序配置:

    sudo update-grub
    
  4. 更改在重启后生效:

    reboot --reboot
    

结果

如果您决定继续测试此解决方案,您最终应该得到类似的结果:

CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
* Information from the /sys interface: Mitigation: PTE Inversion; VMX: cache flushes, SMT disabled
* This system is a host running a hypervisor:  YES  (paranoid mode)
* Mitigation 1 (KVM)
  * EPT is disabled:  NO 
* Mitigation 2
  * L1D flush is supported by kernel:  YES  (found flush_l1d in /proc/cpuinfo)
  * L1D flush enabled:  YES  (unconditional flushes)
  * Hardware-backed L1D flush supported:  YES  (performance impact of the mitigation will be greatly reduced)
  * Hyper-Threading (SMT) is enabled:  NO 
> STATUS:  NOT VULNERABLE  (L1D unconditional flushing and Hyper-Threading disabled are mitigating the vulnerability)

超高清图像可以放大:

L1TF——缓解


斯蒂芬·基特的笔记

L1TF 特定内容也值得阅读内核文档,其中详细解释了漏洞和缓解措施,并解释了如何启用和禁用缓解措施(包括禁用 SMT)在运行时,无需重新启动或更改系统配置。

相关内容