Hi!
According to 1), disabling EPT offers the same maximum protection against L1TF as disabling SMT but has a severe performance impact.
FWIW: With EPT disabled (2)), I can *not* confirm any performance-degradation for the VirtualBox Windows- or Linux-VMs that I use. Those VMs are for desktop-use, though.
So to me it seems that the performance impact depends on the use case and in a desktop-setting disabling EPT may offer a simple max-protection-option with the advantage of still enabled hyperthreading.
I have tried this with 4.18.1 and 4.14.63.
Rainer Fiebig
***
1) https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html#mitigation-sele...
2) kvm-intel.ept=0
tail /sys/devices/system/cpu/vulnerabilities/*
==> /sys/devices/system/cpu/vulnerabilities/l1tf <== Mitigation: PTE Inversion; VMX: EPT disabled
==> /sys/devices/system/cpu/vulnerabilities/meltdown <== Mitigation: PTI
==> /sys/devices/system/cpu/vulnerabilities/spec_store_bypass <== Mitigation: Speculative Store Bypass disabled via prctl and seccomp
==> /sys/devices/system/cpu/vulnerabilities/spectre_v1 <== Mitigation: __user pointer sanitization
==> /sys/devices/system/cpu/vulnerabilities/spectre_v2 <== Mitigation: Full generic retpoline, IBPB, IBRS_FW
On Thu, Aug 16, 2018 at 01:41:26PM +0200, Rainer Fiebig wrote:
Hi!
According to 1), disabling EPT offers the same maximum protection against L1TF as disabling SMT but has a severe performance impact.
FWIW: With EPT disabled (2)), I can *not* confirm any performance-degradation for the VirtualBox Windows- or Linux-VMs that I use. Those VMs are for desktop-use, though.
So to me it seems that the performance impact depends on the use case and in a desktop-setting disabling EPT may offer a simple max-protection-option with the advantage of still enabled hyperthreading.
I have tried this with 4.18.1 and 4.14.63.
Why are you sending this to the stable@ list? There's nothing we can do here, sorry.
greg k-h
Greg KH schrieb:
On Thu, Aug 16, 2018 at 01:41:26PM +0200, Rainer Fiebig wrote:
Hi!
According to 1), disabling EPT offers the same maximum protection against L1TF as disabling SMT but has a severe performance impact.
FWIW: With EPT disabled (2)), I can *not* confirm any performance-degradation for the VirtualBox Windows- or Linux-VMs that I use. Those VMs are for desktop-use, though.
So to me it seems that the performance impact depends on the use case and in a desktop-setting disabling EPT may offer a simple max-protection-option with the advantage of still enabled hyperthreading.
I have tried this with 4.18.1 and 4.14.63.
Why are you sending this to the stable@ list? There's nothing we can do here, sorry.
greg k-h
Sorry, wrong target-group then. Have a good day!
Rainer Fiebig
linux-stable-mirror@lists.linaro.org
-
Greg KH -
Rainer Fiebig