l1tf.rst - OpenGrok cross reference for /Linux-v6.1/Documentation/admin-guide/hw-vuln/l1tf.rst

Lines Matching +full:run +full:- +full:control
1 L1TF - L1 Terminal Fault
10 -------------------
15    - Processors from AMD, Centaur and other non Intel vendors
17    - Older processor models, where the CPU family is < 6
19    - A range of Intel ATOM processors (Cedarview, Cloverview, Lincroft,
22    - The Intel XEON PHI family
24    - Intel processors which have the ARCH_CAP_RDCL_NO bit set in the
33 ------------
38    CVE-2018-3615  L1 Terminal Fault  SGX related aspects
39    CVE-2018-3620  L1 Terminal Fault  OS, SMM related aspects
40    CVE-2018-3646  L1 Terminal Fault  Virtualization related aspects
44 -------
66 ----------------
74    In some cases user-space can maliciously influence the information
90    OSes, which can control the PTEs directly, and malicious guest user
91    space applications, which run on an unprotected guest kernel lacking the
120 -----------------------
138   - SMT status:
145   - L1D Flush mode:
159 -------------------------
166 ---------------------------
188     - conditional ('cond')
189     - unconditional ('always')
210    line and sysfs control files. See :ref:`mitigation_control_command_line`
221    host tasks can run on these cores.
223    If only a single guest or related guests run on sibling SMT threads on
232    declared as non-interesting for an attacker without deep inspection of
244    https://www.kernel.org/doc/Documentation/admin-guide/cgroup-v1/cpusets.rst
255    queue without allowing the administrator to control the affinities.
258    which run untrusted guests, reduces the attack vector space.
260    Whether the interrupts with are affine to CPUs, which run untrusted
262    configuration and the scenarios which run on the system. While for some
271    https://www.kernel.org/doc/Documentation/core-api/irq/irq-affinity.rst
275 4. SMT control
285    to control it. It also provides a kernel command line interface to
286    control SMT.
294 		 core only one - the so called primary (hyper) thread is
306    - /sys/devices/system/cpu/smt/control
307    - /sys/devices/system/cpu/smt/active
309    /sys/devices/system/cpu/smt/control:
311      This file allows to read out the SMT control state and provides the
322 			online a non-primary sibling is rejected
325 			Attempts to write to the control file are rejected.
329 			Attempts to write to the control file are rejected.
332      The possible states which can be written into this file to control SMT
335      - on
336      - off
337      - forceoff
344    SMT control is also possible at boot time via the l1tf kernel command
345    line parameter in combination with L1D flush control. See
357   EPT can be disabled in the hypervisor via the 'kvm-intel.ept' parameter.
364 Mitigation control on the kernel command line
365 ---------------------------------------------
367 The kernel command line allows to control the L1TF mitigations at boot
375 		SMT control and L1D flush control via the sysfs interface
382 		control. Implies the 'nosmt=force' command line option.
383 		(i.e. sysfs control of SMT is disabled.)
388 		SMT control and L1D flush control via the sysfs interface
397 		SMT control and L1D flush control via the sysfs interface
418 Mitigation control for KVM - module parameter
419 -------------------------------------------------------------
424 The option/parameter is "kvm-intel.vmentry_l1d_flush=". It takes the
445 line, then 'always' is enforced and the kvm-intel.vmentry_l1d_flush
451 --------------------------
468    sysfs control files. See :ref:`mitigation_control_command_line` and
491   EPT can be disabled in the hypervisor via the 'kvm-intel.ept' parameter.
499   - L1D flushing on VMENTER:
507   - Guest confinement:
515   - Interrupt isolation:
521     affinity to the CPUs which run the untrusted guests can depending on
531   - Disabling SMT:
537     SMT control and L1D flushing can be tuned by the command line
538     parameters 'nosmt', 'l1tf', 'kvm-intel.vmentry_l1d_flush' and at run
539     time with the matching sysfs control files. See :ref:`smt_control`,
543   - Disabling EPT:
550     EPT can be disabled in the hypervisor via the 'kvm-intel.ept'
562  - Flush the L1D cache on every switch from the nested hypervisor to the
566  - Flush the L1D cache on every switch from the nested virtual machine to
571  - Instruct the nested hypervisor to not perform any L1D cache flush. This
578 -------------------
582   - PTE inversion to protect against malicious user space. This is done
586   - L1D conditional flushing on VMENTER when EPT is enabled for
594   - Force disabling SMT can break existing setups, especially with
597   - If regular users run untrusted guests on their machine, then L1TF is
599     guest, e.g. spam-bots or attacks on the local network.
604   - It's technically extremely unlikely and from today's knowledge even
607     control PTEs. If this would be possible and not other mitigation would
610   - The administrators of cloud and hosting setups have to carefully