KVM Virtualization Adds Protections For Spectre-V1/L1TF Combination Attack

Written by Michael Larabel in Virtualization on 31 January 2020 at 07:05 AM EST. 4 Comments
Following the Xen hypervisor in mitigating against a possible Spectre Variant One and L1 Terminal Fault combination attack, the Kernel-based Virtual Machine (KVM) has added its own protections with the Linux 5.6 kernel on top of all the other mitigations they've had to endure as a result of CPU vulnerabilities over the past two years.

The new concern for virtualization is that Spectre V1 and L1TF (Level One Terminal Fault) could be combined to more easily collect leaked information. Xen recently issued XSA-289 as "cache-load gadgets exploitable with L1TF." While now the KVM code has been updated to protect against this combination attack.

This attack isn't fully mitigated by the work around core scheduling so fresh work was needed to better protect the KVM x86/x86_64 code. Red Hat's Paolo Bonzini described this latest mitigation effort as "an even bigger whack-a-mole game than SpectreV1."

With the KVM updates for Linux 5.6 is now this Spectre V1 + L1TF combo protection as well as various clean-ups and continued reworking/rewriting of the KVM kernel code itself.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week