L1TF / Foreshadow Mitigations Land In Linux 4.18 / 4.17 / 4.14 / 4.9 / 4.4 Kernel Update
Linux stable maintainer Greg Kroah-Hartman has released new updates across the Linux 4.18, 4.17, 4.14, 4.9, and 4.4 kernel channels to address the recently exposed L1 Terminal Fault "L1TF" / Foreshadow Meltdown-like CPU vulnerability affecting Intel processors.
Linux 4.4.148, 4.9.120, 4.14.63, 4.17.15, and 4.18.1 are all out this morning with their principal changes in these patch releases being the inclusion of L1TF/Foreshadow mitigation. As covered already, the default behavior is to carry out conditional L1D flushes on VMENTER, but there are kernel knobs available for always forcing L1 cache flushes on VMENTER and the full protection of disabling SMP/HT support.
Yesterday I posted some very initial L1TF / Foreshadow impact benchmarks within a Linux KVM virtual machine instance while in the next day or two more tests will be published on Phoronix.
The L1TF/Foreshadow mitigation was posted back during the embargo lift on this vulnerability to Linux Git for the in-development 4.19 kernel cycle. These patches have also already been back-ported to various distribution kernels like those from Red Hat, Ubuntu, and SUSE.
For the most part the other changes in these point releases are very mundane and mostly the usual maintenance churn. The latest stable kernel releases are available as always from Kernel.org.
Linux 4.4.148, 4.9.120, 4.14.63, 4.17.15, and 4.18.1 are all out this morning with their principal changes in these patch releases being the inclusion of L1TF/Foreshadow mitigation. As covered already, the default behavior is to carry out conditional L1D flushes on VMENTER, but there are kernel knobs available for always forcing L1 cache flushes on VMENTER and the full protection of disabling SMP/HT support.
Yesterday I posted some very initial L1TF / Foreshadow impact benchmarks within a Linux KVM virtual machine instance while in the next day or two more tests will be published on Phoronix.
The L1TF/Foreshadow mitigation was posted back during the embargo lift on this vulnerability to Linux Git for the in-development 4.19 kernel cycle. These patches have also already been back-ported to various distribution kernels like those from Red Hat, Ubuntu, and SUSE.
For the most part the other changes in these point releases are very mundane and mostly the usual maintenance churn. The latest stable kernel releases are available as always from Kernel.org.
7 Comments