Can this be mitigated, L1TF CPU bug present and SMT on, or because of Intel Hyperthreading I just have do deal with it?
Curious if Incus and TrueNAS have ways to mitigate this in software, as I am researching this, it seems OS providers were able to do so when this first became a concern. Intel updated Microcode in 2018, but is still a concern for the affected CPUs.
The best mitigation is to disable SMT. Personally, I would not worry about it.
Yes, but I am not going to disable hyperthreading. I am concerned about it.
Here, I found this on www.google.com:
L1TF - L1 Terminal Fault — The Linux Kernel documentation
Thank you, I have read through that already.
Then what’s the question?
TrueNAS is middleware. I doubt it does any mitigation beyond the kernel defaults. If this is important to you, I would recommend verifying the desired mitigations are in place using the link above over trusting what someone on a messageboard tells you.
Did not ask for your passive answers. The question is stated above. If you have nothing to contribute as to the Incus or TrueNAS side then please do not reply. There is no need for you to think what you have provided is the answer. Have a great day.
I hope someone holds your hand. Good luck!
Debian mitigated this years ago.
TrueNAS SCALE is based on Debian.
Do you have evidence suggesting otherwise?
I stated above “Curious if Incus and TrueNAS have ways to mitigate this in software, as I am researching this, it seems OS providers were able to do so when this first became a concern.”
TrueNAS provided the message and link in the webui, so yes, that is evidence that I feel grants me being able to ask the question.
In my research I found:
" Guidance :
#### No virtualization
The Linux kernel update will fully mitigate the issue.
#### Virtualization with trusted guests
If the guest OS can be trusted and runs an updated kernel, the system is protected against l1tf and needs no further actions.
#### Virtualization with untrusted guests
If SMT is not supported by the processor, or disabled in the BIOS, or by the kernel, only flushing the L1 Datacache is required when switching between VMs.
How to control this via options, is described in the sections above.
If SMT is supported and active, the following scenarios are possible :
** Guests can be confined to single or groups of cores not shared with other guests.*
> While this reduces the attack surface greatly, interrupts or kernel threads could still run on those cores in parallel with malicious code, and data used by those could be exposed to attackers.
** Additionally to isolating guests to single or groups of cores interrupt handling can reduce the attacker surface, but its still possible that kernel threads run on those cores.*
** Only disabling SMT and enabling L1 Datacache flushes provides maximum protection."*
So with a trusted guest, things should be fine. I understand that. I am still curious if Incus or TrueNAS has done anything further, which is possible, to help mitigate this being an issue.
Please elaborate on what you mean here.
What more mitigation than using the updated kernel are you looking for? // That isn’t “don’t use vulnerable CPUs” or “disable SMT”, which are both effective even with untrusted OSes - for this vulnerability.
You are asking me to answer my own question and replying for arguments sake. You are not in anyway being informative, or helpful. Why are you being a keyboard warrior and being combative?
Am I not allowed to ask questions here about things I do not know?
You said it’s possible to do something further, while the rest of the world has moved on.
What more do you want them to do about this?
Help us understand what you think is lacking and maybe we can guide you to your goal.
No, what I stated is that the possibility exist that Incus or TrueNAS has done more on the software side to help mitigate it and I am curious if that is the case.
The answer is no.
I will not be monitoring this thread any further.
Good day.
There is nothing more for TrueNAS (Debian) or Incus to do. Kernel mitigations were made in 2018. Intel hasn’t released any additional microcode mitigations for this in years.
For anyone with sensitive data at risk of being targeted by state-sponsored malicious actors or providing services for those that might, I recommend upgrading to a processor that has implemented hardware mitigations and/or disabling SMT. It’s also recommended to improve the timeliness of the security program.
For those not targeted by state-sponsored malicious actors, the existing mitigations are sufficient.
