L1TF Mitigation

The L1 Terminal Fault is an Intel x86 processor vulnerability that allows unprivileged access to the Level 1 Data Cache under certain conditions and can potentially enable hackers to bypass restrictions and gain access to the memory of running virtual machines (VMs) in a multi-tenant cloud environment. This topic provides information about mitigation modes that are available in Cloudistics for the L1TF vulnerability. It also provides instructions for viewing the mitigation status in the Cloudistics Ignite management portal, as well as changing the mitigation mode via command line, if needed.

Mitigation Modes in Cloudistics

Cloudistics includes an updated Red Hat kernel (3.10.0-862.20.2.el7.x86_64) in the latest release. Cloudistics provides the following L1TF mitigation modes as recommended by Red Hat:

  • Full - Addresses all L1TF vulnerabilities by flushing the Level 1 Data Cache and turning off Intel hyperthreading. WARNING: This mode can have a high performance impact.
  • Partial - Flushes the Level 1 Data Cache on all context switches from the hypervisor to a guest VM. Hyperthreading is enabled. This mode reduces the attack surface but does not fully prevent leaking of information. It prevents any guest OS from attacking the hypervisor, but it does not prevent a guest OS from attacking another running on the same hypervisor. This mode has a medium performance impact.
  • Disabled - No mitigation is applied. This mode has no performance impact. WARNING: Vulnerability is increased if untrusted workloads are running.
NOTE

For L1TF mitigation support, you must be running Cloudistics version 4.0.2 or later. When the platform is updated to 4.0.2, the L1TF mitigation mode is set to Full by default.

Considerations for Applying the L1TF Mitigation Modes

This Full mode disables the Intel hyperthreading feature and reduces the effective CPU core count by half. For this mode, you should ensure you have enough cores to adequately run existing workloads.

If you decide to apply the PARTIAL mode, which does not disable hyperthreading, you should protect your environment as much as possible by patching all running VMs to the latest level.

Or, you could leave the mitigation mode at FULL and add more compute nodes to make up for the lost CPU core counts, and then pick and choose your protection mode on a per hypervisor basis.

L1TF Mitigation Mode Commands

The following commands are available for the L1TF mitigation modes.

To determine the L1TF mitigation mode, log on to the hypervisor as manager and enter the following command:

# cldtx_get_l1tf_mitigation

For example:

[[email protected]]# cldtx_get_l1tf_mitigation
FULL

To change the mitigation mode, enter the following command:

# sudo cldtx_set_l1tf_mitigation -s <FULL|PARTIAL|DISABLED>

For example:

[[email protected]]# cldtx_set_l1tf_mitigation -s PARTIAL
Setting l1tf_mitigation to PARTIAL and restarting Compute Controller

View the L1TF Mitigation Mode in the UI

You can view the mitigation mode of a compute node in the Cloudistics Ignite management portal.

  1. In the Cloudistics Ignite management portal, in the left navigation menu, under Resources, click Nodes.
  2. On the Nodes page, select the node for which you want to view information. The details page for that node opens.
  3. Click the Information tab to view the mitigation status of the node as shown below.

L1TF Mitigation Status for a Node

Previous

Next

Still need help?

Submit a request