How is Linode handling L1TF? What actions can we take to mitigate?
Amazon AWS says they have some platform-wide fix in place that prevents it from affecting EC2:
https://aws.amazon.com/security/security-bulletins/AWS-2018-019/
Digital Ocean says it does affect them, and they are working on a fix:
https://blog.digitalocean.com/a-message-about-l1tf/
What's the story for Linode?
What can we do to protect ourselves in the meantime?
3 Replies
Indeed looking forward to Linode's heads up. Hoping more Linode roll out of AMD EPYC based host nodes too :)
I just posted some general information on L1TF here. We'll have a blog post up shortly, so stay tuned to our blog.
In response to your specific questions:
What's the story for Linode?
We're still investigating L1TF's impact on Linode and our customers.
What can we do to protect ourselves in the meantime?
Updating your kernel will help. If you use the Linode kernel, make sure your kernel is set to "Latest", and reboot. 4.17.15 and up contain patches for L1TF.
If you use a distribution-supplied kernel, you'll need to update with your package manager and reboot.
Let us know if you have more questions on this.
I think more is need that just Kernel update according to https://blogs.oracle.com/oraclesecurity/intel-l1tf
The technical steps Intel recommends to mitigate L1TF vulnerabilities on affected systems include:
- Ensuring that affected Intel processors are running the latest Intel processor microcode. Intel reports that the microcode update it has released for the Spectre 3a (CVE-2018-3640) and Spectre 4 (CVE-2018-3639) vulnerabilities also contains the microcode instructions which can be used to mitigate the L1TF vulnerabilities. Updated microcode by itself is not sufficient to protect against L1TF.
- Applying the necessary OS and virtualization software patches against affected systems. To be effective, OS patches will require the presence of the updated Intel processor microcode. This is because updated microcode by itself is not sufficient to protect against L1TF. Corresponding OS and virtualization software updates are also required to mitigate the L1TF vulnerabilities present in Intel processors.
- Disabling Intel Hyper-Threading technology in some situations. Disabling HT alone is not sufficient for mitigating L1TF vulnerabilities. Disabling HT will result in significant performance degradation.
Appreciate the hard work Linode is doing
Nice seems you also fixed the issues outlined at https://www.linode.com/community/questions/17069/network-issues-with-latest-kernel My Linode can reboot with 4.17.15-x86_64-linode115
uname -r
4.17.15-x86_64-linode115
cheers