[QUOTE=malcolmlewis;2877932]Hi
See: Security Vulnerability: "L1 Terminal Fault" (L1TF) aka CVE-2018-3615, CVE-2018-3620 & CVE-2018-3646. | Support | SUSE
[/quote]
Yes, I have already seen this before opening the thread. It seems to duplicate part of the kernel docs. One thing which caught my eye:
kvm-intel.enable_ept=0
…
SUSE recommends to leave this enabled, but instead use the L1D cache flush and SMT mitigations.
According to kernel docs this gives maximum protection without having to disable SMT, i.e. it looks better performance-wise without security drawbacks. So why does SUSE recommend against it?
FWIW I tried using this option and also l1tf=full,force (in separate boots) but none of them changed anything - still vulnerable.
So did the microcode update occur?
How do I know? I don’t know if that is related but the initial line of dmesg shows:
0.000000] microcode: microcode updated early to revision 0x20, date = 2018-04-10
The CPU info shows the “flush_l1d” flag:
# lscpu | egrep "Model name:|Flags"
Model name: Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm cpuid_fault epb pti ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid fsgsbase smep erms xsaveopt dtherm ida arat pln pts flush_l1d
# zypper se -si ucode-intel microcode
Loading repository data...
Reading installed packages...
S | Name | Type | Version | Arch | Repository
---+-------------+---------+----------------------+--------+--------------
i+ | ucode-intel | package | 20180807-lp150.2.7.1 | x86_64 | *Update (OSS)
BEFORE:
...
AFTER:
What did you do between before and after?
[QUOTE=malcolmlewis;2877933]
I see this popped up on the ML as well…
https://lists.opensuse.org/opensuse-factory/2018-08/msg00216.html[/QUOTE]
I don’t have a swap partition. Does it still relate to me in any way?
ETA: Just found that Linus says that “[MAX_PA/2 worth of memory] is very unlikely to happen on real systems.” Strangely the dmesg line says that this is exactly the case (the system has 32GB of RAM, the maximum which the CPU and the MB support).