From: Paolo Bonzini <pbonzini@redhat.com>
To: speck@linutronix.de
Subject: [MODERATED] Re: [PATCH] NX documentation
Date: Sat, 2 Nov 2019 10:12:03 +0100 [thread overview]
Message-ID: <c6b9cd9a-2d36-84dd-8e3e-8eddd2c38c0d@redhat.com> (raw)
In-Reply-To: <20191102011217.GA4934@guptapadev.amr>
[-- Attachment #1: Type: text/plain, Size: 2536 bytes --]
Thanks, queued with these fixes on top. I'll be sending v9 shortly.
diff --git a/Documentation/admin-guide/hw-vuln/multihit.rst b/Documentation/admin-guide/hw-vuln/multihit.rst
index c2c9cef23e20..26e478a3570f 100644
--- a/Documentation/admin-guide/hw-vuln/multihit.rst
+++ b/Documentation/admin-guide/hw-vuln/multihit.rst
@@ -1,8 +1,9 @@
iTLB multihit
=============
+
iTLB multihit is an erratum where some processors may incur a machine check
-error possibly resulting in an unrecoverable cpu hang when an instruction fetch
-encounters a TLB multi-hit in the instruction TLB. This can occur when the page
+error, possibly resulting in an unrecoverable CPU hang, when an instruction fetch
+hits multiple entries in the instruction TLB. This can occur when the page
size is changed along with either the physical address or cache type. A
malicious guest running on a virtualized system can exploit this erratum to
perform a denial of service attack.
@@ -14,6 +15,8 @@ Affected processors
Variations of this erratum are present on most Intel Core and Xeon processor
models. The erratum is not present on:
+ - non-Intel processors
+
- Some Atoms (Airmont, Bonnell, Goldmont, GoldmontPlus, Saltwell, Silvermont)
- Intel processors that have the PSCHANGE_MC_NO bit set in the
@@ -97,7 +100,8 @@ and will be set on CPU's which are mitigated against this issue.
Mitigation mechanism
-------------------------
-This erratum can be mitigated by restricting the use of large pages.
+This erratum can be mitigated by restricting the use of large page sizes to
+non-executable pages.
Mitigation control on the kernel command line and KVM - module parameter
@@ -120,7 +124,8 @@ The valid arguments for these options are:
off Mitigation is disabled.
- auto Enable mitigation only if the platform is affected.
+ auto Enable mitigation only if the platform is affected and the kernel
+ was not booted with the "mitigations=off" command line parameter.
========== ================================================================
@@ -143,5 +148,5 @@ Mitigation selection guide
3. Virtualization with untrusted guests
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If the guest comes from an untrusted source, the guest host kernel will need
- to apply the iTLB multihit mitigation via the kernel command line or kvm
+ to apply iTLB multihit mitigation via the kernel command line or kvm
module parameter.
prev parent reply other threads:[~2019-11-02 9:12 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-02 1:12 [MODERATED] [PATCH] NX documentation Nelson D'Souza
2019-11-02 9:12 ` Paolo Bonzini [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c6b9cd9a-2d36-84dd-8e3e-8eddd2c38c0d@redhat.com \
--to=pbonzini@redhat.com \
--cc=speck@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).