Problem/message L1TF CPU bug and data leak

Madtrick

Active Member
Mar 17, 2019
43
3
28
55
Germany
Hi.
To test different things, I installed the PVE several times on the same machine.
So I always had a fresh system.

The machine is a Fujitsu RX300 S7 with a XEON E5-2630L.

I get the following error message after the installation:

L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details.

PVE was then updated, but that did not work either. The message is still coming.

After Google search and research I am not smarter.

How can the security hole be closed?
What can be done?

Translated with www.DeepL.com/Translator (free version)
 
It's not an error message, it's a warning. It just tells you that you have Hyper-Threading (SMT) enabled, which means that a malicious guest VM could theoretically access confidential data on the host (as described in the kernel.org link you posted).

This is a hardware flaw on intel systems, and can (as far as I'm aware) only be mitigated by disabling Hyper-Threading (SMT), usually done in BIOS. Keep in mind that this incurs a (potentially hefty) performance penalty.
 
can this warning be disabled?
You can actually fix it by disabling hyper-threading in the BIOS (or use the nosmt=force kernel parameters in the unlikely case that the BIOS has no such option).

EDIT: Turns out that it can be disable without fixing the problem.
 
Last edited:
yes it can be disabled:

nano /etc/default/grub

add to kernel line mitigations=off

update-grub
reboot

warning is gone :)

thanx for your answer! did it but the warning stills there:

changed this line on /etc/default/grub:
GRUB_CMDLINE_LINUX_DEFAULT="quiet mitigations=off"

made update-grub and reboot, but the warning persist.
Maybe i did somethjing wrong?
 
Sorry i forgot to mention that i am on ZFS.
Found the soluition here: https://forum.proxmox.com/threads/disable-spectre-meltdown-mitigations.112553/

nano /etc/kernel/cmdfile
(change this line) root=ZFS=rpool/ROOT/pve-1 boot=zfs mitigations=off
proxmox-boot-tool refresh
reboot

Thanx everyone!
NOTE: [Proxmox 8.2.2] These steps worked for me but by choosing correct filename as shown below:

Incorrect path filename:
nano /etc/kernel/cmdfile

Correct path filename:
nano /etc/kernel/cmdline
 
  • Like
Reactions: PeteMox