From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linutronix.de (146.0.238.70:993) by crypto-ml.lab.linutronix.de with IMAP4-SSL for ; 12 Jul 2018 16:26:14 -0000 Received: from mx3-rdu2.redhat.com ([66.187.233.73] helo=mx1.redhat.com) by Galois.linutronix.de with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1fdeQ0-0001Hv-Aw for speck@linutronix.de; Thu, 12 Jul 2018 18:26:12 +0200 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 5C84D401C876 for ; Thu, 12 Jul 2018 16:26:06 +0000 (UTC) Received: from treble (ovpn-120-114.rdu2.redhat.com [10.10.120.114]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 368822156889 for ; Thu, 12 Jul 2018 16:26:06 +0000 (UTC) Date: Thu, 12 Jul 2018 11:26:04 -0500 From: Josh Poimboeuf Subject: [MODERATED] Re: [patch V10 10/10] Control knobs and Documentation 10 Message-ID: <20180712162604.ml3ptargyjd7i5n2@treble> References: <20180712141902.576562442@linutronix.de> <20180712142957.791282859@linutronix.de> <20180712161330.liz4cdyulklhpvxc@treble> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20180712161330.liz4cdyulklhpvxc@treble> To: speck@linutronix.de List-ID: On Thu, Jul 12, 2018 at 11:13:30AM -0500, Josh Poimboeuf wrote: > > +Mitigation control on the kernel command line > > +--------------------------------------------- > > + > > +The kernel command line allows to control the L1TF mitigations at boot > > +time with the option "l1tf=". The valid arguments for this option are: > > + > > + ============ =================================================== > > + full Provides all available mitigations for the L1TF > > + vulnerability. Disables SMT and enables all mitigations in > > + the hypervisors. > > + > > + SMT control and L1D flush control via the sysfs interface > > + is still possible after boot. Hypervisors will issue a > > + warning when the first VM is started in a potentially > > + insecure configuration, i.e. SMT enabled or L1D flush > > + disabled. > > + > > + full,force Same as 'full', but disables SMT and L1D flush runtime > > + control. Implies the 'nosmt=force' command line option. > > + (i.e. sysfs control of SMT is disabled.) > > + > > + flush Leaves SMT enabled and enables the default hypervisor > > + mitigation. > > + > > + SMT control and L1D flush control via the sysfs interface > > + is still possible after boot. Hypervisors will issue a > > + warning when the first VM is started in a potentially > > + insecure configuration, i.e. SMT enabled or L1D flush > > + disabled. > > The difference is between 'flush' and 'full' is quite vague here (and in > kernel-parameters.txt). It might be a good idea to give a little more > detail. I meant to say between 'flush,nosmt' and 'full'... -- Josh