From Intel's advisory: CVE-2018-3615 - L1 Terminal Fault: SGX Systems with microprocessors utilizing speculative execution and Intel® software guard extensions (Intel® SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis. CVE-2018-3620 - L1 Terminal Fault: OS/SMM Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis. CVE-2018-3646 - L1 Terminal Fault: VMM Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis. The Linux admin-guide has been updated, and now contains a section describing the ensuing mitigations: https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html In particular, it states that the default mitigations will be as follows: * PTE inversion to protect against malicious user space * L1D conditional flushing on VMENTER when EPT is enabled for a guest The stable patch queues for 4.4, 4.9, 4.14 and 4.17 contain a relevant patch series, indicating the the above-mentioned mitigations will land in 4.4.148, 4.9.120, 4.14.63 and 4.17.15. I have briefly tested the patch series from the 4.14 queue and confirmed that PTE inversion - at least - is in effect: # cd /sys/devices/system/cpu/vulnerabilities # grep . * l1tf:Mitigation: PTE Inversion meltdown:Mitigation: PTI spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp spectre_v1:Mitigation: __user pointer sanitization spectre_v2:Mitigation: Full generic retpoline, IBPB, IBRS_FW
More information ... * https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3615 * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3620 * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3646 * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=958f338 * http://seclists.org/oss-sec/2018/q3/113 (Xen) * https://blogs.oracle.com/oraclesecurity/intel-l1tf (Oracle) * https://blogs.technet.microsoft.com/srd/2018/08/14/analysis-and-mitigation-of-l1-terminal-fault-l1tf/ (Microsoft) * https://youtu.be/n_pa2AisRUs (Intel) * https://youtu.be/kqg8_KH2OIQ (Red Hat) The Oracle article states: "Intel reports that the microcode update it has released for the Spectre 3a (CVE-2018-3640) and Spectre 4 (CVE-2018-3639) vulnerabilities also contains the microcode instructions which can be used to mitigate the L1TF vulnerabilities. Updated microcode by itself is not sufficient to protect against L1TF."
Re-assigning to security@ because this isn't a kernel vulnerability per se.
4.4.148, 4.9.120, 4.14.63 and 4.17.15 have been released. It was subsequently discovered that a build error occurs if CONFIG_KVM_INTEL is disabled. Therefore, genpatches would need to include the attached patch, which will land in the next round of stable releases.
Created attachment 543604 [details, diff] x86-l1tf-fix-build-error-seen-if-config_kvm_intel-is-disabled.patch
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e74c1453a18c20a8b8018b20a28cb4924440a08c commit e74c1453a18c20a8b8018b20a28cb4924440a08c Author: kuzetsa <kuzetsa@gmail.com> AuthorDate: 2018-08-16 23:51:13 +0000 Commit: Göktürk Yüksek <gokturk@gentoo.org> CommitDate: 2018-08-20 23:37:11 +0000 sys-kernel/ck-sources: genpatches-4.14-69 Bug: https://bugs.gentoo.org/663656 Bug: https://bugs.gentoo.org/663744 Package-Manager: Portage-2.3.40, Repoman-2.3.9 sys-kernel/ck-sources/Manifest | 4 ++ sys-kernel/ck-sources/ck-sources-4.14.63.ebuild | 64 +++++++++++++++++++++++++ 2 files changed, 68 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0f4ed7e4177dd3833429379205e3ffed37c8d2c6 commit 0f4ed7e4177dd3833429379205e3ffed37c8d2c6 Author: kuzetsa <kuzetsa@gmail.com> AuthorDate: 2018-08-16 23:49:00 +0000 Commit: Göktürk Yüksek <gokturk@gentoo.org> CommitDate: 2018-08-20 23:37:07 +0000 sys-kernel/ck-sources: genpatches-4.9-124 Bug: https://bugs.gentoo.org/663656 Bug: https://bugs.gentoo.org/663744 Package-Manager: Portage-2.3.40, Repoman-2.3.9 sys-kernel/ck-sources/Manifest | 3 ++ sys-kernel/ck-sources/ck-sources-4.9.120.ebuild | 59 +++++++++++++++++++++++++ 2 files changed, 62 insertions(+)
