L1TF = L1 Terminal Fault
Should we set l1tf kernel boot parameter?
[X86] Control mitigation of the L1TF vulnerability on affected CPUs
- linux kernel - L1D unconditional flushing should be enabled to fully mitigate the vulnerability (CVE-2018-3646) - Unix & Linux Stack Exchange
- L1TF - L1 Terminal Fault — The Linux Kernel documentation
Need to make sure this doesn’t break any virtualizer at the host or any guest VMs.
This is because currently our security-misc config passes
sudo spectre-meltdown-checker ; echo $?
but fails
sudo spectre-meltdown-checker --paranoid ; echo $?
due to
STATUS: VULNERABLE (enable L1D unconditional flushing and disable Hyper-Threading to fully mitigate the vulnerability)
Setting kernel boot parameter l1tf=full,force fixes that.