應啟用 L1D 無條件刷新以完全緩解漏洞 (CVE-2018-3646)

我使用了spectre-meltdown-checker0.42 版，沒有任何選項導致全綠色結果。但是，在一個幫助頁面中，我找到了這個--paranoid開關，這導致大約一半的後來的 CVE 變成了紅色。我讀了它告訴我的內容，為了完全緩解，我必須禁用超執行緒，這讓我有點害怕，所以我最好這樣做，結果只剩下一個危險信號是 CVE-2018-3646 = L1D 無條件應啟用刷新以完全緩解漏洞。

---

筆記型電腦：Dell Inspiron 15，帶有最新的 BIOS（1.8.0，詳情連結）。

處理器：Intel© Core™ i7-7700HQ（連結到Intel Ark）。

Linux核心：4.15.0-65-generic；滿uname -a：

Linux dell-7577 4.15.0-65-generic #74-Ubuntu SMP Tue Sep 17 17:06:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

為了完整起見，我從--paranoid交換機的幫助中添加了資訊：

--paranoid      require IBPB to deem Variant 2 as mitigated
               also require SMT disabled + unconditional L1D flush to deem Foreshadow-NG VMM as mitigated
               also require SMT disabled to deem MDS vulnerabilities mitigated

---

CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
* Information from the /sys interface: Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable
* This system is a host running a hypervisor:  YES  (paranoid mode)
* Mitigation 1 (KVM)
 * EPT is disabled:  NO 
* Mitigation 2
 * L1D flush is supported by kernel:  YES  (found flush_l1d in /proc/cpuinfo)
 * L1D flush enabled:  YES  (conditional flushes)
 * Hardware-backed L1D flush supported:  YES  (performance impact of the mitigation will be greatly reduced)
 * Hyper-Threading (SMT) is enabled:  YES 
> STATUS:  VULNERABLE  (enable L1D unconditional flushing and disable Hyper-Threading to fully mitigate the vulnerability)

---

實際問題

除了禁用超執行緒之外，如何啟用此無條件 L1D 刷新？

我做了一點探勘，文件中的這個漏洞被稱為：

L1TF = L1 端子故障

實際上我直接找到了核心文件，引用：

l1tf=   [X86] Control mitigation of the L1TF vulnerability on
       affected CPUs

       The kernel PTE inversion protection is unconditionally
       enabled and cannot be disabled.

       full
           Provides all available mitigations for the
           L1TF vulnerability. Disables SMT and
           enables all mitigations in the
           hypervisors, i.e. unconditional L1D flush.

           SMT control and L1D flush control via the
           sysfs interface is still possible after
           boot.  Hypervisors will issue a warning
           when the first VM is started in a
           potentially insecure configuration,
           i.e. SMT enabled or L1D flush disabled.

       full,force
           Same as 'full', but disables SMT and L1D
           flush runtime control. Implies the
           'nosmt=force' command line option.
           (i.e. sysfs control of SMT is disabled.)

       flush
           Leaves SMT enabled and enables the default
           hypervisor mitigation, i.e. conditional
           L1D flush.

           SMT control and L1D flush control via the
           sysfs interface is still possible after
           boot.  Hypervisors will issue a warning
           when the first VM is started in a
           potentially insecure configuration,
           i.e. SMT enabled or L1D flush disabled.

       flush,nosmt

           Disables SMT and enables the default
           hypervisor mitigation.

           SMT control and L1D flush control via the
           sysfs interface is still possible after
           boot.  Hypervisors will issue a warning
           when the first VM is started in a
           potentially insecure configuration,
           i.e. SMT enabled or L1D flush disabled.

       flush,nowarn
           Same as 'flush', but hypervisors will not
           warn when a VM is started in a potentially
           insecure configuration.

       off
           Disables hypervisor mitigations and doesn't
           emit any warnings.
           It also drops the swap size and available
           RAM limit restriction on both hypervisor and
           bare metal.

       Default is 'flush'.

       For details see: Documentation/admin-guide/hw-vuln/l1tf.rst

---

我嘗試了其中一些選項，最終得到了full,force. 但這只是我個人的選擇。

---

如何使用

如果您現在問如何使用（編輯什麼），那麼答案是：

1. 使用您喜歡的文本編輯器編輯以下文件：

/etc/default/grub

2. 將其中一個選項（例如讓我使用l1tf=full,force）添加到此行：

GRUB_CMDLINE_LINUX_DEFAULT="... l1tf=full,force"

3. 使用以下命令更新您的引導載入程序配置：

sudo update-grub

4. 重啟後更改生效：

reboot --reboot

---

結果

如果您決定繼續測試此解決方案，您應該會得到類似的結果：

CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
* Information from the /sys interface: Mitigation: PTE Inversion; VMX: cache flushes, SMT disabled
* This system is a host running a hypervisor:  YES  (paranoid mode)
* Mitigation 1 (KVM)
 * EPT is disabled:  NO 
* Mitigation 2
 * L1D flush is supported by kernel:  YES  (found flush_l1d in /proc/cpuinfo)
 * L1D flush enabled:  YES  (unconditional flushes)
 * Hardware-backed L1D flush supported:  YES  (performance impact of the mitigation will be greatly reduced)
 * Hyper-Threading (SMT) is enabled:  NO 
> STATUS:  NOT VULNERABLE  (L1D unconditional flushing and Hyper-Threading disabled are mitigating the vulnerability)

超高畫質圖像，可以放大：

---

斯蒂芬基特的筆記

還值得閱讀特定於 L1TF 的**核心文件，其中詳細解釋了漏洞和緩解措施，並解釋瞭如何在執行時**啟用和禁用緩解措施（包括禁用 SMT） ，而無需重新啟動或更改系統配置。

引用自：https://unix.stackexchange.com/questions/547433