1*b7fe54f6SBalbir SinghL1D Flushing 2*b7fe54f6SBalbir Singh============ 3*b7fe54f6SBalbir Singh 4*b7fe54f6SBalbir SinghWith an increasing number of vulnerabilities being reported around data 5*b7fe54f6SBalbir Singhleaks from the Level 1 Data cache (L1D) the kernel provides an opt-in 6*b7fe54f6SBalbir Singhmechanism to flush the L1D cache on context switch. 7*b7fe54f6SBalbir Singh 8*b7fe54f6SBalbir SinghThis mechanism can be used to address e.g. CVE-2020-0550. For applications 9*b7fe54f6SBalbir Singhthe mechanism keeps them safe from vulnerabilities, related to leaks 10*b7fe54f6SBalbir Singh(snooping of) from the L1D cache. 11*b7fe54f6SBalbir Singh 12*b7fe54f6SBalbir Singh 13*b7fe54f6SBalbir SinghRelated CVEs 14*b7fe54f6SBalbir Singh------------ 15*b7fe54f6SBalbir SinghThe following CVEs can be addressed by this 16*b7fe54f6SBalbir Singhmechanism 17*b7fe54f6SBalbir Singh 18*b7fe54f6SBalbir Singh ============= ======================== ================== 19*b7fe54f6SBalbir Singh CVE-2020-0550 Improper Data Forwarding OS related aspects 20*b7fe54f6SBalbir Singh ============= ======================== ================== 21*b7fe54f6SBalbir Singh 22*b7fe54f6SBalbir SinghUsage Guidelines 23*b7fe54f6SBalbir Singh---------------- 24*b7fe54f6SBalbir Singh 25*b7fe54f6SBalbir SinghPlease see document: :ref:`Documentation/userspace-api/spec_ctrl.rst 26*b7fe54f6SBalbir Singh<set_spec_ctrl>` for details. 27*b7fe54f6SBalbir Singh 28*b7fe54f6SBalbir Singh**NOTE**: The feature is disabled by default, applications need to 29*b7fe54f6SBalbir Singhspecifically opt into the feature to enable it. 30*b7fe54f6SBalbir Singh 31*b7fe54f6SBalbir SinghMitigation 32*b7fe54f6SBalbir Singh---------- 33*b7fe54f6SBalbir Singh 34*b7fe54f6SBalbir SinghWhen PR_SET_L1D_FLUSH is enabled for a task a flush of the L1D cache is 35*b7fe54f6SBalbir Singhperformed when the task is scheduled out and the incoming task belongs to a 36*b7fe54f6SBalbir Singhdifferent process and therefore to a different address space. 37*b7fe54f6SBalbir Singh 38*b7fe54f6SBalbir SinghIf the underlying CPU supports L1D flushing in hardware, the hardware 39*b7fe54f6SBalbir Singhmechanism is used, software fallback for the mitigation, is not supported. 40*b7fe54f6SBalbir Singh 41*b7fe54f6SBalbir SinghMitigation control on the kernel command line 42*b7fe54f6SBalbir Singh--------------------------------------------- 43*b7fe54f6SBalbir Singh 44*b7fe54f6SBalbir SinghThe kernel command line allows to control the L1D flush mitigations at boot 45*b7fe54f6SBalbir Singhtime with the option "l1d_flush=". The valid arguments for this option are: 46*b7fe54f6SBalbir Singh 47*b7fe54f6SBalbir Singh ============ ============================================================= 48*b7fe54f6SBalbir Singh on Enables the prctl interface, applications trying to use 49*b7fe54f6SBalbir Singh the prctl() will fail with an error if l1d_flush is not 50*b7fe54f6SBalbir Singh enabled 51*b7fe54f6SBalbir Singh ============ ============================================================= 52*b7fe54f6SBalbir Singh 53*b7fe54f6SBalbir SinghBy default the mechanism is disabled. 54*b7fe54f6SBalbir Singh 55*b7fe54f6SBalbir SinghLimitations 56*b7fe54f6SBalbir Singh----------- 57*b7fe54f6SBalbir Singh 58*b7fe54f6SBalbir SinghThe mechanism does not mitigate L1D data leaks between tasks belonging to 59*b7fe54f6SBalbir Singhdifferent processes which are concurrently executing on sibling threads of 60*b7fe54f6SBalbir Singha physical CPU core when SMT is enabled on the system. 61*b7fe54f6SBalbir Singh 62*b7fe54f6SBalbir SinghThis can be addressed by controlled placement of processes on physical CPU 63*b7fe54f6SBalbir Singhcores or by disabling SMT. See the relevant chapter in the L1TF mitigation 64*b7fe54f6SBalbir Singhdocument: :ref:`Documentation/admin-guide/hw-vuln/l1tf.rst <smt_control>`. 65*b7fe54f6SBalbir Singh 66*b7fe54f6SBalbir Singh**NOTE** : The opt-in of a task for L1D flushing works only when the task's 67*b7fe54f6SBalbir Singhaffinity is limited to cores running in non-SMT mode. If a task which 68*b7fe54f6SBalbir Singhrequested L1D flushing is scheduled on a SMT-enabled core the kernel sends 69*b7fe54f6SBalbir Singha SIGBUS to the task. 70