L1TF Cache Flushing Mode Could Soon Be Controlled Via Kconfig Build Option

Written by Michael Larabel in Linux Security on 3 July 2020 at 04:38 AM EDT. Add A Comment
LINUX SECURITY
Approaching the two year anniversary next month of the L1TF / Foreshadow vulnerability, a Google engineer has proposed allowing the default mitigation state to be controlled via a Kconfig build-time option.

This speculative execution attack on Intel CPUs has been mitigated since August 2018 and has offered for KVM virtual machine mitigation the kvm-intel.vmentry_l1d_flush module parameter for controlling the L1 data cache flushing behavior. But now a Google engineer has proposed setting the default L1 data flushing mode to be configurable at build-time via a new KVM_VMENTRY_L1D_FLUSH knob. This knob doesn't provide any new L1 Terminal Fault mitigation but rather just allows adjusting the default behavior for the default configuration of that kernel image, whether it be to never flush the cache before a VMENTER, conditionally flush, or the most impactful state of always flushing.

The existing default behavior of the Linux kernel is for flushing in specific/conditional instances when the host enters the guest, due to the performance costs involved. With this Kconfig option, distributions could ship kernels where the flushing always happens (the most severe for performance) or never (better performance, albeit security risks of L1TF). This simply makes it easier to define the default than the vmentry_l1d_flush module parameter for KVM. This new Kconfig option doesn't touch the Hyper Threading behavior.

The patch is quite straightforward so could see it quite possibly for Linux 5.9. We'll see and if any distribution vendors ahead end up making use of KVM_VMENTRY_L1D_FLUSH's different defaults. Given a Google engineer is working on it, they could be quite likely considering changing the default for their cloud or other internal needs.
Add A Comment
Related News
Linux BHI Mitigation Being Tweaked Following 12% Database Performance Hit
Linux 6.9-rc4 To Bring New Fixes For x86 Speculation Mitigations
Linux Kernel Patched For Branch History Injection "BHI" Intel CPU Vulnerability
GitHub Disables The XZ Repository Following Today's Malicious Disclosure
XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access
Linux 6.9 Sees Further Security Hardening
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
Rust-Written LAVD Kernel Scheduler Shows Promising Results For Linux Gaming
Former Nouveau Lead Developer Joins NVIDIA, Continues Working On Open-Source Driver
Fedora Linux 40 Cleared For Release Next Week
AMD: "Additional Parts Of The Radeon Stack To Be Open Sourced Throughout The Year"
Mozilla Finally Begins Offering Firefox ARM64 Linux Binaries
Ubuntu 24.04 Supports Easy Installation Of OpenZFS Root File-System With Encryption
Fedora Linux 40 Available For Download As A Wonderful Upgrade
openSUSE Factory Achieves Bit-By-Bit Reproducible Builds