dlandon Posted January 24, 2019 Share Posted January 24, 2019 I see this in my log: Jan 23 09:36:52 MediaServer kernel: L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details. Seems to be related to Intel HyperThreading, cpu pinning in VMs, and a malicious VM guest. Here is the /sys/devices/system/cpu/vulnerabilities/l1tf file: Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable I think this is a potential issue on Unraid. Quote Link to comment
limetech Posted January 24, 2019 Share Posted January 24, 2019 This doc explains it, grab some coffee and some Tylenol for upcoming headache: https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html My current understaning, this mainly affects the Cloud guys running multiple VM's belonging to customers. I will be moving this to the Security board soon. Quote Link to comment
dlandon Posted January 24, 2019 Author Share Posted January 24, 2019 I only read a little bit and it did give me a headache. Quote Link to comment
dlandon Posted January 24, 2019 Author Share Posted January 24, 2019 (edited) Maybe it's this simple. The option/parameter is “kvm-intel.vmentry_l1d_flush=always,cond,never”. The parameter can be provided on the kernel command line, as a module parameter when loading the modules and at runtime modified via the sysfs file: /sys/module/kvm_intel/parameters/vmentry_l1d_flush The default is ‘cond’. If ‘l1tf=full,force’ is given on the kernel command line, then ‘always’ is enforced and the kvm-intel.vmentry_l1d_flush module parameter is ignored and writes to the sysfs file are rejected. EDIT: Maybe as you said a non issue for Unraid because we are running trusted VMs. Edited January 24, 2019 by dlandon Quote Link to comment
limetech Posted January 24, 2019 Share Posted January 24, 2019 11 minutes ago, dlandon said: Maybe it's this simple. Good analysis. When looking at this last year I ran across something that said this had a pretty significant performance impact, I'll have to try and find that again. I remember thinking at the time, if someone cared about it they could add the kernel option. Quote Link to comment
dlandon Posted January 24, 2019 Author Share Posted January 24, 2019 22 minutes ago, limetech said: Good analysis. When looking at this last year I ran across something that said this had a pretty significant performance impact, I'll have to try and find that again. I remember thinking at the time, if someone cared about it they could add the kernel option. A I read in the link you posted, that's about where my head exploded. Definitely not in my pay grade. Quote Link to comment
NAS Posted January 25, 2019 Share Posted January 25, 2019 tl;dr to fully fix this Intel garbage users are going to pay a performance price. The price varies wildly based on user workloads and is basically impossible to predict however I have been in conversation where some devops have seen insane edge cases performance drops. I would suggest the right way to do this is to fix it by default but document an opt out for those that want to accept the risk because it is not possible for normal humans to really understand this beginning to end. Quote Link to comment
dlandon Posted January 25, 2019 Author Share Posted January 25, 2019 This is recommended and is the way it is right now on Unraid: "The general recommendation is to enable L1D flush on VMENTER. The kernel defaults to conditional mode on affected processors." Maybe it is best to leave it alone. I don't know how you would communicate to a novice user what it means and why turn it on or off. Quote Link to comment
limetech Posted January 25, 2019 Share Posted January 25, 2019 6 hours ago, NAS said: it is not possible for normal humans to really understand this beginning to end. * without getting a severe headache. Quote Link to comment
SiNtEnEl Posted January 28, 2019 Share Posted January 28, 2019 I found this a good read: https://access.redhat.com/security/vulnerabilities/L1TF-perf Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.