我用的是spectre-meltdown-checker
,版本 0.42,没有任何选项导致全绿色结果。但是,在帮助页面中,我发现了这个--paranoid
开关,这导致大约一半的后来的 CVE 变成了红色。我读到它告诉我的内容,为了完全缓解我必须禁用超线程,这让我有点害怕,所以我最好这样做,结果是只有一个剩余的危险信号为 CVE-2018-3646 =应启用 L1D 无条件刷新以完全缓解该漏洞。
笔记本电脑:配备最新 BIOS 的 Dell Inspiron 15(1.8.0、详细信息链接)。
处理器:Intel© Core™ i7-7700HQ(链接至英特尔方舟)。
Linux 内核:4.15.0-65-generic;满的uname -a
:
Linux dell-7577 4.15.0-65-generic #74-Ubuntu SMP Tue Sep 17 17:06:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
为了完整起见,我添加了交换机帮助中的信息--paranoid
:
--paranoid require IBPB to deem Variant 2 as mitigated
also require SMT disabled + unconditional L1D flush to deem Foreshadow-NG VMM as mitigated
also require SMT disabled to deem MDS vulnerabilities mitigated
CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
* Information from the /sys interface: Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable
* This system is a host running a hypervisor: YES (paranoid mode)
* Mitigation 1 (KVM)
* EPT is disabled: NO
* Mitigation 2
* L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo)
* L1D flush enabled: YES (conditional flushes)
* Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced)
* Hyper-Threading (SMT) is enabled: YES
> STATUS: VULNERABLE (enable L1D unconditional flushing and disable Hyper-Threading to fully mitigate the vulnerability)
实际问题
除了禁用超线程之外,如何启用它无条件 L1D 同花?
答案1
我做了一些挖掘,文档中的这个漏洞被称为:
L1TF = L1 端子故障
其实我找到了直接内核文档,引用:
l1tf= [X86] Control mitigation of the L1TF vulnerability on
affected CPUs
The kernel PTE inversion protection is unconditionally
enabled and cannot be disabled.
full
Provides all available mitigations for the
L1TF vulnerability. Disables SMT and
enables all mitigations in the
hypervisors, i.e. unconditional L1D flush.
SMT control and L1D flush control via the
sysfs interface is still possible after
boot. Hypervisors will issue a warning
when the first VM is started in a
potentially insecure configuration,
i.e. SMT enabled or L1D flush disabled.
full,force
Same as 'full', but disables SMT and L1D
flush runtime control. Implies the
'nosmt=force' command line option.
(i.e. sysfs control of SMT is disabled.)
flush
Leaves SMT enabled and enables the default
hypervisor mitigation, i.e. conditional
L1D flush.
SMT control and L1D flush control via the
sysfs interface is still possible after
boot. Hypervisors will issue a warning
when the first VM is started in a
potentially insecure configuration,
i.e. SMT enabled or L1D flush disabled.
flush,nosmt
Disables SMT and enables the default
hypervisor mitigation.
SMT control and L1D flush control via the
sysfs interface is still possible after
boot. Hypervisors will issue a warning
when the first VM is started in a
potentially insecure configuration,
i.e. SMT enabled or L1D flush disabled.
flush,nowarn
Same as 'flush', but hypervisors will not
warn when a VM is started in a potentially
insecure configuration.
off
Disables hypervisor mitigations and doesn't
emit any warnings.
It also drops the swap size and available
RAM limit restriction on both hypervisor and
bare metal.
Default is 'flush'.
For details see: Documentation/admin-guide/hw-vuln/l1tf.rst
我尝试了其中一些选项,最终得到了full,force
.但这只是我个人的选择。
如何使用
如果您现在问如何使用(编辑什么),那么答案是:
使用您喜欢的文本编辑器编辑以下文件:
/etc/default/grub
添加选项之一,例如让我使用
l1tf=full,force
, 到这一行:GRUB_CMDLINE_LINUX_DEFAULT="... l1tf=full,force"
使用以下命令更新您的引导加载程序配置:
sudo update-grub
更改在重启后生效:
reboot --reboot
结果
如果您决定继续测试此解决方案,您最终应该得到类似的结果:
CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
* Information from the /sys interface: Mitigation: PTE Inversion; VMX: cache flushes, SMT disabled
* This system is a host running a hypervisor: YES (paranoid mode)
* Mitigation 1 (KVM)
* EPT is disabled: NO
* Mitigation 2
* L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo)
* L1D flush enabled: YES (unconditional flushes)
* Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced)
* Hyper-Threading (SMT) is enabled: NO
> STATUS: NOT VULNERABLE (L1D unconditional flushing and Hyper-Threading disabled are mitigating the vulnerability)
超高清图像可以放大:
斯蒂芬·基特的笔记
L1TF 特定内容也值得阅读内核文档,其中详细解释了漏洞和缓解措施,并解释了如何启用和禁用缓解措施(包括禁用 SMT)在运行时,无需重新启动或更改系统配置。