Linux 5.8 Set To Optionally Flush The L1d Cache On Context Switch To Increase Security

The Linux kernel patches that have been spearheaded by Amazon AWS engineers to optionally flush the L1 data cache on each context switch have now been queued in the x86/mm branch ahead of the upcoming Linux 5.8 kernel cycle.

This L1d cache flushing on context switches is being done in light of the various CPU security issues that have come to light in recent times and acknowledging there are likely other yet to be discovered vulnerabilities. Flushing the L1d cache on context switches helps fend off data from being snooped or leaked via side channels.

This flushing does address CVE-2020-0550 for snoop-assisted L1 data sampling but the main emphasis seems to be on the "yet to be discovered vulnerabilities." But in flushing the L1 data cache so frequently, there are big performance implications and as such the documentation continues to refer to this capability as something for "paranoid" users.

This opt-in mechanism needs to be enabled from user-space applications via prctl() and will use any CPU hardware mechanism for L1d flushing otherwise a software fallback. More details on this optional L1d flushing per context switch via this earlier article.

The patches are queued in the x86/mm (memory management) branch ahead of the Linux 5.8 kernel cycle expected to open in early June and then release as stable likely in August. Besides this optional security feature, there is a lot more coming for Linux 5.8.