January 24, 20197 yr I see this in my log: Jan 23 09:36:52 MediaServer kernel: L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details. Seems to be related to Intel HyperThreading, cpu pinning in VMs, and a malicious VM guest. Here is the /sys/devices/system/cpu/vulnerabilities/l1tf file: Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable I think this is a potential issue on Unraid.
January 24, 20197 yr This doc explains it, grab some coffee and some Tylenol for upcoming headache: https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html My current understaning, this mainly affects the Cloud guys running multiple VM's belonging to customers. I will be moving this to the Security board soon.
January 24, 20197 yr Author Maybe it's this simple. The option/parameter is “kvm-intel.vmentry_l1d_flush=always,cond,never”. The parameter can be provided on the kernel command line, as a module parameter when loading the modules and at runtime modified via the sysfs file: /sys/module/kvm_intel/parameters/vmentry_l1d_flush The default is ‘cond’. If ‘l1tf=full,force’ is given on the kernel command line, then ‘always’ is enforced and the kvm-intel.vmentry_l1d_flush module parameter is ignored and writes to the sysfs file are rejected. EDIT: Maybe as you said a non issue for Unraid because we are running trusted VMs. Edited January 24, 20197 yr by dlandon
January 24, 20197 yr 11 minutes ago, dlandon said: Maybe it's this simple. Good analysis. When looking at this last year I ran across something that said this had a pretty significant performance impact, I'll have to try and find that again. I remember thinking at the time, if someone cared about it they could add the kernel option.
January 24, 20197 yr Author 22 minutes ago, limetech said: Good analysis. When looking at this last year I ran across something that said this had a pretty significant performance impact, I'll have to try and find that again. I remember thinking at the time, if someone cared about it they could add the kernel option. A I read in the link you posted, that's about where my head exploded. Definitely not in my pay grade.
January 25, 20197 yr tl;dr to fully fix this Intel garbage users are going to pay a performance price. The price varies wildly based on user workloads and is basically impossible to predict however I have been in conversation where some devops have seen insane edge cases performance drops. I would suggest the right way to do this is to fix it by default but document an opt out for those that want to accept the risk because it is not possible for normal humans to really understand this beginning to end.
January 25, 20197 yr Author This is recommended and is the way it is right now on Unraid: "The general recommendation is to enable L1D flush on VMENTER. The kernel defaults to conditional mode on affected processors." Maybe it is best to leave it alone. I don't know how you would communicate to a novice user what it means and why turn it on or off.
January 25, 20197 yr 6 hours ago, NAS said: it is not possible for normal humans to really understand this beginning to end. * without getting a severe headache.
January 28, 20197 yr I found this a good read: https://access.redhat.com/security/vulnerabilities/L1TF-perf
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.