Loading Documentation/ABI/testing/sysfs-devices-system-cpu +24 −0 Original line number Diff line number Diff line Loading @@ -379,6 +379,7 @@ What: /sys/devices/system/cpu/vulnerabilities /sys/devices/system/cpu/vulnerabilities/spectre_v1 /sys/devices/system/cpu/vulnerabilities/spectre_v2 /sys/devices/system/cpu/vulnerabilities/spec_store_bypass /sys/devices/system/cpu/vulnerabilities/l1tf Date: January 2018 Contact: Linux kernel mailing list <linux-kernel@vger.kernel.org> Description: Information about CPU vulnerabilities Loading @@ -390,3 +391,26 @@ Description: Information about CPU vulnerabilities "Not affected" CPU is not affected by the vulnerability "Vulnerable" CPU is affected and no mitigation in effect "Mitigation: $M" CPU is affected and mitigation $M is in effect Details about the l1tf file can be found in Documentation/admin-guide/l1tf.rst What: /sys/devices/system/cpu/smt /sys/devices/system/cpu/smt/active /sys/devices/system/cpu/smt/control Date: June 2018 Contact: Linux kernel mailing list <linux-kernel@vger.kernel.org> Description: Control Symetric Multi Threading (SMT) active: Tells whether SMT is active (enabled and siblings online) control: Read/write interface to control SMT. Possible values: "on" SMT is enabled "off" SMT is disabled "forceoff" SMT is force disabled. Cannot be changed. "notsupported" SMT is not supported by the CPU If control status is "forceoff" or "notsupported" writes are rejected. Documentation/admin-guide/index.rst +9 −0 Original line number Diff line number Diff line Loading @@ -17,6 +17,15 @@ etc. kernel-parameters devices This section describes CPU vulnerabilities and provides an overview of the possible mitigations along with guidance for selecting mitigations if they are configurable at compile, boot or run time. .. toctree:: :maxdepth: 1 l1tf Here is a set of documents aimed at users who are trying to track down problems and bugs in particular. Loading Documentation/admin-guide/kernel-parameters.txt +78 −0 Original line number Diff line number Diff line Loading @@ -1897,10 +1897,84 @@ (virtualized real and unpaged mode) on capable Intel chips. Default is 1 (enabled) kvm-intel.vmentry_l1d_flush=[KVM,Intel] Mitigation for L1 Terminal Fault CVE-2018-3620. Valid arguments: never, cond, always always: L1D cache flush on every VMENTER. cond: Flush L1D on VMENTER only when the code between VMEXIT and VMENTER can leak host memory. never: Disables the mitigation Default is cond (do L1 cache flush in specific instances) kvm-intel.vpid= [KVM,Intel] Disable Virtual Processor Identification feature (tagged TLBs) on capable Intel chips. Default is 1 (enabled) l1tf= [X86] Control mitigation of the L1TF vulnerability on affected CPUs The kernel PTE inversion protection is unconditionally enabled and cannot be disabled. full Provides all available mitigations for the L1TF vulnerability. Disables SMT and enables all mitigations in the hypervisors, i.e. unconditional L1D flush. SMT control and L1D flush control via the sysfs interface is still possible after boot. Hypervisors will issue a warning when the first VM is started in a potentially insecure configuration, i.e. SMT enabled or L1D flush disabled. full,force Same as 'full', but disables SMT and L1D flush runtime control. Implies the 'nosmt=force' command line option. (i.e. sysfs control of SMT is disabled.) flush Leaves SMT enabled and enables the default hypervisor mitigation, i.e. conditional L1D flush. SMT control and L1D flush control via the sysfs interface is still possible after boot. Hypervisors will issue a warning when the first VM is started in a potentially insecure configuration, i.e. SMT enabled or L1D flush disabled. flush,nosmt Disables SMT and enables the default hypervisor mitigation. SMT control and L1D flush control via the sysfs interface is still possible after boot. Hypervisors will issue a warning when the first VM is started in a potentially insecure configuration, i.e. SMT enabled or L1D flush disabled. flush,nowarn Same as 'flush', but hypervisors will not warn when a VM is started in a potentially insecure configuration. off Disables hypervisor mitigations and doesn't emit any warnings. Default is 'flush'. For details see: Documentation/admin-guide/l1tf.rst l2cr= [PPC] l3cr= [PPC] Loading Loading @@ -2604,6 +2678,10 @@ nosmt [KNL,S390] Disable symmetric multithreading (SMT). Equivalent to smt=1. [KNL,x86] Disable symmetric multithreading (SMT). nosmt=force: Force disable SMT, cannot be undone via the sysfs control file. nospectre_v2 [X86] Disable all mitigations for the Spectre variant 2 (indirect branch prediction) vulnerability. System may allow data leaks with this option, which is equivalent Loading Loading
Documentation/ABI/testing/sysfs-devices-system-cpu +24 −0 Original line number Diff line number Diff line Loading @@ -379,6 +379,7 @@ What: /sys/devices/system/cpu/vulnerabilities /sys/devices/system/cpu/vulnerabilities/spectre_v1 /sys/devices/system/cpu/vulnerabilities/spectre_v2 /sys/devices/system/cpu/vulnerabilities/spec_store_bypass /sys/devices/system/cpu/vulnerabilities/l1tf Date: January 2018 Contact: Linux kernel mailing list <linux-kernel@vger.kernel.org> Description: Information about CPU vulnerabilities Loading @@ -390,3 +391,26 @@ Description: Information about CPU vulnerabilities "Not affected" CPU is not affected by the vulnerability "Vulnerable" CPU is affected and no mitigation in effect "Mitigation: $M" CPU is affected and mitigation $M is in effect Details about the l1tf file can be found in Documentation/admin-guide/l1tf.rst What: /sys/devices/system/cpu/smt /sys/devices/system/cpu/smt/active /sys/devices/system/cpu/smt/control Date: June 2018 Contact: Linux kernel mailing list <linux-kernel@vger.kernel.org> Description: Control Symetric Multi Threading (SMT) active: Tells whether SMT is active (enabled and siblings online) control: Read/write interface to control SMT. Possible values: "on" SMT is enabled "off" SMT is disabled "forceoff" SMT is force disabled. Cannot be changed. "notsupported" SMT is not supported by the CPU If control status is "forceoff" or "notsupported" writes are rejected.
Documentation/admin-guide/index.rst +9 −0 Original line number Diff line number Diff line Loading @@ -17,6 +17,15 @@ etc. kernel-parameters devices This section describes CPU vulnerabilities and provides an overview of the possible mitigations along with guidance for selecting mitigations if they are configurable at compile, boot or run time. .. toctree:: :maxdepth: 1 l1tf Here is a set of documents aimed at users who are trying to track down problems and bugs in particular. Loading
Documentation/admin-guide/kernel-parameters.txt +78 −0 Original line number Diff line number Diff line Loading @@ -1897,10 +1897,84 @@ (virtualized real and unpaged mode) on capable Intel chips. Default is 1 (enabled) kvm-intel.vmentry_l1d_flush=[KVM,Intel] Mitigation for L1 Terminal Fault CVE-2018-3620. Valid arguments: never, cond, always always: L1D cache flush on every VMENTER. cond: Flush L1D on VMENTER only when the code between VMEXIT and VMENTER can leak host memory. never: Disables the mitigation Default is cond (do L1 cache flush in specific instances) kvm-intel.vpid= [KVM,Intel] Disable Virtual Processor Identification feature (tagged TLBs) on capable Intel chips. Default is 1 (enabled) l1tf= [X86] Control mitigation of the L1TF vulnerability on affected CPUs The kernel PTE inversion protection is unconditionally enabled and cannot be disabled. full Provides all available mitigations for the L1TF vulnerability. Disables SMT and enables all mitigations in the hypervisors, i.e. unconditional L1D flush. SMT control and L1D flush control via the sysfs interface is still possible after boot. Hypervisors will issue a warning when the first VM is started in a potentially insecure configuration, i.e. SMT enabled or L1D flush disabled. full,force Same as 'full', but disables SMT and L1D flush runtime control. Implies the 'nosmt=force' command line option. (i.e. sysfs control of SMT is disabled.) flush Leaves SMT enabled and enables the default hypervisor mitigation, i.e. conditional L1D flush. SMT control and L1D flush control via the sysfs interface is still possible after boot. Hypervisors will issue a warning when the first VM is started in a potentially insecure configuration, i.e. SMT enabled or L1D flush disabled. flush,nosmt Disables SMT and enables the default hypervisor mitigation. SMT control and L1D flush control via the sysfs interface is still possible after boot. Hypervisors will issue a warning when the first VM is started in a potentially insecure configuration, i.e. SMT enabled or L1D flush disabled. flush,nowarn Same as 'flush', but hypervisors will not warn when a VM is started in a potentially insecure configuration. off Disables hypervisor mitigations and doesn't emit any warnings. Default is 'flush'. For details see: Documentation/admin-guide/l1tf.rst l2cr= [PPC] l3cr= [PPC] Loading Loading @@ -2604,6 +2678,10 @@ nosmt [KNL,S390] Disable symmetric multithreading (SMT). Equivalent to smt=1. [KNL,x86] Disable symmetric multithreading (SMT). nosmt=force: Force disable SMT, cannot be undone via the sysfs control file. nospectre_v2 [X86] Disable all mitigations for the Spectre variant 2 (indirect branch prediction) vulnerability. System may allow data leaks with this option, which is equivalent Loading
