summaryrefslogtreecommitdiff
path: root/Documentation/admin-guide/kernel-parameters.txt
diff options
context:
space:
mode:
authorKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>2018-07-02 12:29:30 +0200
committerThomas Gleixner <tglx@linutronix.de>2018-07-04 20:49:38 +0200
commita399477e52c17e148746d3ce9a483f681c2aa9a0 (patch)
treef1074f72a1cff9797b246f740ff790130e834cdb /Documentation/admin-guide/kernel-parameters.txt
parent26acfb666a473d960f0fd971fe68f3e3ad16c70b (diff)
downloadlwn-a399477e52c17e148746d3ce9a483f681c2aa9a0.tar.gz
lwn-a399477e52c17e148746d3ce9a483f681c2aa9a0.zip
x86/KVM/VMX: Add module argument for L1TF mitigation
Add a mitigation mode parameter "vmentry_l1d_flush" for CVE-2018-3620, aka L1 terminal fault. The valid arguments are: - "always" L1D cache flush on every VMENTER. - "cond" Conditional L1D cache flush, explained below - "never" Disable the L1D cache flush mitigation "cond" is trying to avoid L1D cache flushes on VMENTER if the code executed between VMEXIT and VMENTER is considered safe, i.e. is not bringing any interesting information into L1D which might exploited. [ tglx: Split out from a larger patch ] Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Diffstat (limited to 'Documentation/admin-guide/kernel-parameters.txt')
-rw-r--r--Documentation/admin-guide/kernel-parameters.txt12
1 files changed, 12 insertions, 0 deletions
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 298f1b38dc89..4f790566ad91 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -1973,6 +1973,18 @@
(virtualized real and unpaged mode) on capable
Intel chips. Default is 1 (enabled)
+ kvm-intel.vmentry_l1d_flush=[KVM,Intel] Mitigation for L1 Terminal Fault
+ CVE-2018-3620.
+
+ Valid arguments: never, cond, always
+
+ always: L1D cache flush on every VMENTER.
+ cond: Flush L1D on VMENTER only when the code between
+ VMEXIT and VMENTER can leak host memory.
+ never: Disables the mitigation
+
+ Default is cond (do L1 cache flush in specific instances)
+
kvm-intel.vpid= [KVM,Intel] Disable Virtual Processor Identification
feature (tagged TLBs) on capable Intel chips.
Default is 1 (enabled)