2018/08/16 Advisory: L1 Terminal Fault (L1TF)
This page covers ongoing efforts and may be updated (latest: 2019-04-17).
Following the "Meltdown" and "Spectre" vulnerabilities from January 2018, new similar vulnerabilities were published in August 2018: "L1 Terminal Fault". Like with "Meltdown" and "Spectre", these vulnerabilities break down the boundary that protects memory between processes and between a Hypervisor and the VMs running on it.
Please note that not taking any action is not an option as this will render your device exploitable!
The three variants of "L1 Terminal Fault" are the 3rd iteration of CPU related hardware vulnerabilities. Additional vulnerabilities may be published in the future and would require another iteration of applying patches and / or mitigation options...
Strategy
The general strategy for all systems, including Hypervisors, is the update to the most recent operating system version. Hypervisors hosting user-controlled VMs or VMs with end-user access should also disable HyperThreading ("SMT OFF"):- For CERN CentOS 7 and SLC 6, fixes have been made available for testing through the CERN Linux software “test”/QA repositories. These fixes were released to production for CC7-x86_64 [2018-08-20], SLC6-i686 [2018-08-20] and SLC6-x86_64 [2018-08-20]. In order to be active, they require a restart of the operating system. In order to be active, they require a restart of the operating system;
- For CERN centrally managed Windows devices, stay tuned;
- Individual, non-CERN managed devices (private or CERN; Windows, Linux or Mac; office PCs, laptops, …) should be updated using the standard updating mechanisms (Windows upgrade, yum update,...) and subsequently rebooted;
- For Virtual machines in the CERN Computer Centre, fixes are available but some of them can only be effective after an Hypervisor update and a hard reboot of the VM. The current status and schedule is available on the CERN Status Board;
- For Hypervisors in the CERN Computer Centre, CERN IT is performing functional and performance testing of the provided fixes, and will define a roll-out schedule. This will require a reboot of the hypervisors themselves and thus will result in a hard reboot of all VMs; Detailed schedule and mitigation will be provided later;
Checking the status of your system
Recent Linux releases have added an easy way of checking the status of you system concerning CPU related hardware vulnerabilities: special files in /sys/devices/system/cpu/vulnerabilities/. You can easily learn the status of your system by reading these files. If any file is missing, you first need to update your kernel. Each of them should contain:
- /sys/devices/system/cpu/vulnerabilities/l1tf: "Mitigation: PTE Inversion"
- /sys/devices/system/cpu/vulnerabilities/meltdown: "Mitigation: PTI"
- /sys/devices/system/cpu/vulnerabilities/spec_store_bypass: "Mitigation: Speculative Store Bypass disabled via prctl and seccomp"
- /sys/devices/system/cpu/vulnerabilities/spectre_v1: "Load fences" and/or "__user pointer sanitization"
- /sys/devices/system/cpu/vulnerabilities/spectre_v2: "Mitigation: Full retpoline". Systems running on Skylake processors cannot be fully fixed and will contain "Vulnerable: Retpoline on Skylake+"
If your system is listed as 'Vulnerable', a kernel and/or a microcode update are required. For VMs, several of these vulnerability depends on a microcode update on the hypervisor and a hard reboot of the VM.
References
- RedHat general advisory for L1TF
- Linux documentation about L1TF and its mitigations
- Intel general advisory for L1TF (with peformance analysis
- RedHat's performance analysis of L1TF mitigations
- Intel detailed analysis of L1TF
- RedHat detailed analysis of L1TF, with a short high level video and a longer, more technical video
- List of Microcode updates for L1TF
- Intel Q3 Security Advisory
