Linux Developers Discuss Flushing L1 Cache On Context Switches In Light Of Vulnerabilities
Written by Michael Larabel in Hardware on 19 March 2020 at 07:10 AM EDT. 15 Comments
HARDWARE --
In light of data sampling vulnerabilities like MDS, engineers from Amazon, Google, and other organizations are discussing a proof-of-concept implementation that would optionally flush the L1 data cache on context switches.

Flushing out the L1 data cache on each context switch would result in yet another performance hit so it isn't being taken lightly. At least based upon public information at this point doesn't appear necessary but an extra step to enhance the system security following Intel's data sampling vulnerability disclosures. The "request for comments" patch by an Amazon engineer describes it as an optional feature for those that are "paranoid due to the recent snoop assisted data sampling vulnerabilites, to flush their L1D on being switched out. This protects their data from being snooped or leaked via side channels after the task has context switched out."

The discussed means are ensuring data left in the L1d would be cleared out and a second avenue being explored is clearing the L1 cache should any untrusted (potentially malicious) process be starting up so to clear out the L1 cache before hand.


As this is just being advertised as a feature for the "paranoid", opting into this flushing of the L1d cache on context switching out is left to be enabled on a per-software basis via a new prctl() flag but no option for blanket enabling at this stage. With this patch being worked on by an Amazon engineer, it's something they are at least considering for the public cloud.

"This is an early PoC to start the discussion on the need for conditional L1D flushing based on the security posture of the application and the sensitivity of the data it has access to or might have access to," wrote Amazon engineer Balbir Singh with the initial patch proposal. We'll see where this L1d-flushing-on-context-switch patch leads.
Related News
About The Author
Author picture

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter or contacted via MichaelLarabel.com.

Popular News This Week