Updated Intel microcode (provided through your hardware / BIOS vendor or by SUSE) introduces a new feature called “flush_l1d”. Hypervisors and bare-metal kernels use this feature to flush the L1 data cache during operations which may be susceptible to data leakage (e.g. when switching between VMs in Hypervisor environments).
Software mitigations exist for the Linux Kernel and for Hypervisors. These mitigations include support for new CPU features, passing these features to guests, and support for enabling/disabling/tuning the mitigations. Recommended mitigations vary depending on the environment.
For KVM host environments, mitigation can be achieved through L1D cache flushes, and/or disabling Extended Page Tables (EPT) and Simultaneous MultiThreading (SMT).
The L1D cache is flushed on every VMENTER.
The L1D cache is flushed on VMENTER only when there can be leak of host memory between VMEXIT and VMENTER. This could still leak some host data, like address space layout.
Disables the L1D cache flush mitigation.
The default setting here is “cond”.
The l1tf “full” setting overrides the settings of this configuration variable.
L1TF can be used to bypass Extended Page Tables (EPT). To mitigate this risk, it is possible to disable EPT and use shadow pages instead. This mitigation is available through the “kvm-intel.enable_ept” option:
The Extended Page tables support is switched off.
To eliminate the risk of untrusted processes or guests exploiting this vulnerability on a sibling hyper-thread, Simultaneous MultiThreading (SMT) can be disabled completely.
On the kernel boot command line:
SMT is disabled, but can be later reenabled in the system.
SMT is disabled, and can not be reenabled in the system.
If this option is not passed, SMT is enabled. Any SMT options used with the “l1tf” kernel parameter option overrides this “nosmt” option.
SMT can also be controlled through sysfs:
This file allows to read the current control state and allows to disable or (re)enable SMT.
Possible states are:
SMT is supported and enabled.
SMT is supported, but disabled. Only primary SMT threads can be onlined.
SMT is supported, but disabled. Further control is not possible.
SMT is not supported.
Potential values that can be written into this file:
This file contains the state of SMT, if it is enabled and active, where active means that multiple threads run on 1 core.
pv-l1tf=[ <bool>, dom0=<bool>, domu=<bool> ]
HVM guests achieve mitigation through a combination of L1D flushes, and disabling SMT.
This parameter determines whether or not the Xen hypervisor performs L1D flushes on VMEntry. Regardless of this setting, this feature is virtualized and passed to HVM guests for in-guest mitigation.
WARNING – The combination of Meltdown mitigation (KPTI) and shadow mode on hardware which supports PCID can result in a severe performance degradation.
NOTE – Efforts are ongoing to implement scheduling improvements that allow hyper-thread siblings to be restricted to threads from a single guest. This will reduce the exposure of L1TF, and the requirement to disable SMT in many environments.