Problem/message L1TF CPU bug and data leak

[Madtrick]

Hi.
To test different things, I installed the PVE several times on the same machine.
So I always had a fresh system.

The machine is a Fujitsu RX300 S7 with a XEON E5-2630L.

I get the following error message after the installation:

L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details.

PVE was then updated, but that did not work either. The message is still coming.

After Google search and research I am not smarter.

How can the security hole be closed?
What can be done?

Translated with www.DeepL.com/Translator (free version)

 

[Stefan_R]

It's not an error message, it's a warning. It just tells you that you have Hyper-Threading (SMT) enabled, which means that a malicious guest VM could theoretically access confidential data on the host (as described in the kernel.org link you posted).

This is a hardware flaw on intel systems, and can (as far as I'm aware) only be mitigated by disabling Hyper-Threading (SMT), usually done in BIOS. Keep in mind that this incurs a (potentially hefty) performance penalty.

 

[Madtrick]

ohhh. Yeah, that's right. It's just a warning.

Thanks for the answer. Now I understand what it means.

 

[JL17]

can this warning be disabled?

 

[leesteken]

can this warning be disabled?

You can actually fix it by disabling hyper-threading in the BIOS (or use the nosmt=force kernel parameters in the unlikely case that the BIOS has no such option).

EDIT: Turns out that it can be disable without fixing the problem.

 

[mac.linux.free]

can this warning be disabled?

yes it can be disabled:

nano /etc/default/grub

add to kernel line mitigations=off

update-grub
reboot

warning is gone

 

[JL17]

yes it can be disabled:

nano /etc/default/grub

add to kernel line mitigations=off

update-grub
reboot

warning is gone

thanx for your answer! did it but the warning stills there:

changed this line on /etc/default/grub:
GRUB_CMDLINE_LINUX_DEFAULT="quiet mitigations=off"

made update-grub and reboot, but the warning persist.
Maybe i did somethjing wrong?

 

[JL17]

Sorry i forgot to mention that i am on ZFS.
Found the soluition here: https://forum.proxmox.com/threads/disable-spectre-meltdown-mitigations.112553/

nano /etc/kernel/cmdfile
(change this line) root=ZFS=rpool/ROOT/pve-1 boot=zfs mitigations=off
proxmox-boot-tool refresh
reboot

Thanx everyone!

 

[SInisterPisces]

I just set up a PVE node on a Dell Optiplex 5040.

It throws this warning on boot.

In a home server environment, how much do I actually need to worry about a potential data leak from this?

 

[naptime]

Sorry i forgot to mention that i am on ZFS.
Found the soluition here: https://forum.proxmox.com/threads/disable-spectre-meltdown-mitigations.112553/

nano /etc/kernel/cmdfile
(change this line) root=ZFS=rpool/ROOT/pve-1 boot=zfs mitigations=off
proxmox-boot-tool refresh
reboot

Thanx everyone!

NOTE: [Proxmox 8.2.2] These steps worked for me but by choosing correct filename as shown below:

Incorrect path filename:
nano /etc/kernel/cmdfile

Correct path filename:
nano /etc/kernel/cmdline