Problem/message L1TF CPU bug and data leak

M

Madtrick

Active Member
Mar 17, 2019
43
3
28
55
Germany
Hi.
To test different things, I installed the PVE several times on the same machine.
So I always had a fresh system.

The machine is a Fujitsu RX300 S7 with a XEON E5-2630L.

I get the following error message after the installation:

L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details.

PVE was then updated, but that did not work either. The message is still coming.

After Google search and research I am not smarter.

How can the security hole be closed?
What can be done?

Translated with www.DeepL.com/Translator (free version)
 
It's not an error message, it's a warning. It just tells you that you have Hyper-Threading (SMT) enabled, which means that a malicious guest VM could theoretically access confidential data on the host (as described in the kernel.org link you posted).

This is a hardware flaw on intel systems, and can (as far as I'm aware) only be mitigated by disabling Hyper-Threading (SMT), usually done in BIOS. Keep in mind that this incurs a (potentially hefty) performance penalty.
 
  • Like
Reactions: Jim0PROFIT, Gilberto Ferreira, bhatmag1ck and 1 other person
JL17 said:
can this warning be disabled?
Click to expand...
You can actually fix it by disabling hyper-threading in the BIOS (or use the nosmt=force kernel parameters in the unlikely case that the BIOS has no such option).

EDIT: Turns out that it can be disable without fixing the problem.
 
Last edited:
mac.linux.free said:
yes it can be disabled:

nano /etc/default/grub

add to kernel line mitigations=off

update-grub
reboot

warning is gone :)
Click to expand...

thanx for your answer! did it but the warning stills there:

changed this line on /etc/default/grub:
GRUB_CMDLINE_LINUX_DEFAULT="quiet mitigations=off"

made update-grub and reboot, but the warning persist.
Maybe i did somethjing wrong?
 
JL17 said:
Sorry i forgot to mention that i am on ZFS.
Found the soluition here: https://forum.proxmox.com/threads/disable-spectre-meltdown-mitigations.112553/

nano /etc/kernel/cmdfile
(change this line) root=ZFS=rpool/ROOT/pve-1 boot=zfs mitigations=off
proxmox-boot-tool refresh
reboot

Thanx everyone!
Click to expand...
NOTE: [Proxmox 8.2.2] These steps worked for me but by choosing correct filename as shown below:

Incorrect path filename:
nano /etc/kernel/cmdfile

Correct path filename:
nano /etc/kernel/cmdline
 
  • Like
Reactions: PeteMox
Resurrecting this out of the blue due to a friend referencing this post and then see the question here:

SInisterPisces said:
I just set up a PVE node on a Dell Optiplex 5040.

It throws this warning on boot.

In a home server environment, how much do I actually need to worry about a potential data leak from this?
Click to expand...

For the record, this is an issue of trust.

Do you run untrusted code in your environment?

Do you have untrusted devices on your network that use services provided by the VMs, or containers?

Do you have Internet-accessible services? How public are they? What's the possibility of an untrusted user gaining access to them?

If it's the comfort of your home and you're not opening it up to the outside world and you're only installing software that you trust and you're not a person of interest to any intelligence agencies... you're fine :)

If you're Edward Snowden or you're intentionally downloading malicious software to test it in a honeypot environment... maybe don't - or at least make it entirely separate from stuff you care about.

As someone sticking to Ubuntu and Plex, you're fine.

If you're ordering random IoT gadgets off of Ali Express and already plugging them in to your home network without protection, that's probably a much bigger and more practical issue in of itself.

If you're offering free VPS hosting to some friends out of your house and who knows what they do with it... getting more into trouble territory.

If you're a bank or government employee. Don't do it.
 
Last edited:
You must log in or register to reply here.
Top Bottom