iTLB multihit vulnerability - force mitigation ignored

klmp · 2020-03-17 19:46:53

Hello,

Both

lscpu

and

/sys/devices/system/cpu/vulnerabilities/itlb_multihit

concur that my system is

KVM: Vulnerable

I have added

kvm.nx_huge_pages=force

to the kernel parameters from grub on startup, but this did not affect the output of

lscpu

Am I doing something wrong, or is this mitigation just not available for my HW? And if the latter is a possibility, how can I tell? I haven't been able to find any more info than the one in kernel.org

Thanks for your time.

schard · 2020-03-17 20:01:01

The kernel i.e. software mitigation does not change the fact, that your CPU, i.e. the hardware has this vulnerability.

loqs · 2020-03-17 20:05:29

The kvm module is not loaded which provides the mitigation but without the kvm module loaded KVM is not vulnerable as it is not usable.

Last edited by loqs (2020-03-17 21:08:49)

klmp · 2020-03-18 20:56:10

Thanks for the answers.

Did more digging, turns out my CPU (Intel Pentium B960) is not even able to use KVM. And of course, the kvm module is not loaded.

I would expect cpuinfo to list it as "Not vulnerable". Unless there is some other way to use this iTLB vulnerability that I am not aware of?

loqs · 2020-03-18 21:16:14

klmp wrote:

Unless there is some other way to use this iTLB vulnerability that I am not aware of?

Theoretically it is not limited to KVM use see multihit.

Arch Linux

#1 2020-03-17 19:46:53

iTLB multihit vulnerability - force mitigation ignored

#2 2020-03-17 20:01:01

Re: iTLB multihit vulnerability - force mitigation ignored

#3 2020-03-17 20:05:29

Re: iTLB multihit vulnerability - force mitigation ignored

#4 2020-03-18 20:56:10

Re: iTLB multihit vulnerability - force mitigation ignored

#5 2020-03-18 21:16:14

Re: iTLB multihit vulnerability - force mitigation ignored

Board footer