• J
    x86/bugs, kvm: Introduce boot-time control of L1TF mitigations · d90a7a0e
    Jiri Kosina 提交于
    Introduce the 'l1tf=' kernel command line option to allow for boot-time
    switching of mitigation that is used on processors affected by L1TF.
    
    The possible values are:
    
      full
    	Provides all available mitigations for the L1TF vulnerability. Disables
    	SMT and enables all mitigations in the hypervisors. SMT control via
    	/sys/devices/system/cpu/smt/control is still possible after boot.
    	Hypervisors will issue a warning when the first VM is started in
    	a potentially insecure configuration, i.e. SMT enabled or L1D flush
    	disabled.
    
      full,force
    	Same as 'full', but disables SMT control. Implies the 'nosmt=force'
    	command line option. sysfs control of SMT and the hypervisor flush
    	control is disabled.
    
      flush
    	Leaves SMT enabled and enables the conditional hypervisor mitigation.
    	Hypervisors will issue a warning when the first VM is started in a
    	potentially insecure configuration, i.e. SMT enabled or L1D flush
    	disabled.
    
      flush,nosmt
    	Disables SMT and enables the conditional hypervisor mitigation. SMT
    	control via /sys/devices/system/cpu/smt/control is still possible
    	after boot. If SMT is reenabled or flushing disabled at runtime
    	hypervisors will issue a warning.
    
      flush,nowarn
    	Same as 'flush', but hypervisors will not warn when
    	a VM is started in a potentially insecure configuration.
    
      off
    	Disables hypervisor mitigations and doesn't emit any warnings.
    
    Default is 'flush'.
    
    Let KVM adhere to these semantics, which means:
    
      - 'lt1f=full,force'	: Performe L1D flushes. No runtime control
        			  possible.
    
      - 'l1tf=full'
      - 'l1tf-flush'
      - 'l1tf=flush,nosmt'	: Perform L1D flushes and warn on VM start if
    			  SMT has been runtime enabled or L1D flushing
    			  has been run-time enabled
    			  
      - 'l1tf=flush,nowarn'	: Perform L1D flushes and no warnings are emitted.
      
      - 'l1tf=off'		: L1D flushes are not performed and no warnings
    			  are emitted.
    
    KVM can always override the L1D flushing behavior using its 'vmentry_l1d_flush'
    module parameter except when lt1f=full,force is set.
    
    This makes KVM's private 'nosmt' option redundant, and as it is a bit
    non-systematic anyway (this is something to control globally, not on
    hypervisor level), remove that option.
    
    Add the missing Documentation entry for the l1tf vulnerability sysfs file
    while at it.
    Signed-off-by: NJiri Kosina <jkosina@suse.cz>
    Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
    Tested-by: NJiri Kosina <jkosina@suse.cz>
    Reviewed-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    Reviewed-by: NJosh Poimboeuf <jpoimboe@redhat.com>
    Link: https://lkml.kernel.org/r/20180713142323.202758176@linutronix.de
    d90a7a0e
sysfs-devices-system-cpu 19.1 KB