€•ê6Œsphinx.addnodes”Œdocument”“”)”}”(Œ rawsource”Œ”Œchildren”]”(Œ translations”Œ LanguagesNode”“”)”}”(hhh]”(hŒ pending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ refdomain”Œstd”Œreftype”Œdoc”Œ reftarget”Œ1/translations/zh_CN/admin-guide/hw-vuln/l1d_flush”Œmodname”NŒ classname”NŒ refexplicit”ˆuŒtagname”hhh ubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ1/translations/zh_TW/admin-guide/hw-vuln/l1d_flush”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ1/translations/it_IT/admin-guide/hw-vuln/l1d_flush”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ1/translations/ja_JP/admin-guide/hw-vuln/l1d_flush”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ1/translations/ko_KR/admin-guide/hw-vuln/l1d_flush”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒPortuguese (Brazilian)”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ1/translations/pt_BR/admin-guide/hw-vuln/l1d_flush”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒSpanish”…””}”hh–sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ1/translations/sp_SP/admin-guide/hw-vuln/l1d_flush”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h hhŒ _document”hŒsource”NŒline”NubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒ L1D Flushing”h]”hŒ L1D Flushing”…””}”(hh¼h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hºhh·h²hh³ŒK/var/lib/git/docbuild/linux/Documentation/admin-guide/hw-vuln/l1d_flush.rst”h´KubhŒ paragraph”“”)”}”(hŒÁWith an increasing number of vulnerabilities being reported around data leaks from the Level 1 Data cache (L1D) the kernel provides an opt-in mechanism to flush the L1D cache on context switch.”h]”hŒÁWith an increasing number of vulnerabilities being reported around data leaks from the Level 1 Data cache (L1D) the kernel provides an opt-in mechanism to flush the L1D cache on context switch.”…””}”(hhÍh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´Khh·h²hubhÌ)”}”(hŒ±This mechanism can be used to address e.g. CVE-2020-0550. For applications the mechanism keeps them safe from vulnerabilities, related to leaks (snooping of) from the L1D cache.”h]”hŒ±This mechanism can be used to address e.g. CVE-2020-0550. For applications the mechanism keeps them safe from vulnerabilities, related to leaks (snooping of) from the L1D cache.”…””}”(hhÛh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´Khh·h²hubh¶)”}”(hhh]”(h»)”}”(hŒ Related CVEs”h]”hŒ Related CVEs”…””}”(hhìh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hºhhéh²hh³hÊh´KubhÌ)”}”(hŒ5The following CVEs can be addressed by this mechanism”h]”hŒ5The following CVEs can be addressed by this mechanism”…””}”(hhúh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´Khhéh²hubhŒ block_quote”“”)”}”(hŒÌ============= ======================== ================== CVE-2020-0550 Improper Data Forwarding OS related aspects ============= ======================== ================== ”h]”hŒtable”“”)”}”(hhh]”hŒtgroup”“”)”}”(hhh]”(hŒcolspec”“”)”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”K uh1jhjubj)”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”Kuh1jhjubj)”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”Kuh1jhjubhŒtbody”“”)”}”(hhh]”hŒrow”“”)”}”(hhh]”(hŒentry”“”)”}”(hhh]”hÌ)”}”(hŒ CVE-2020-0550”h]”hŒ CVE-2020-0550”…””}”(hjGh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´KhjDubah}”(h]”h ]”h"]”h$]”h&]”uh1jBhj?ubjC)”}”(hhh]”hÌ)”}”(hŒImproper Data Forwarding”h]”hŒImproper Data Forwarding”…””}”(hj^h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´Khj[ubah}”(h]”h ]”h"]”h$]”h&]”uh1jBhj?ubjC)”}”(hhh]”hÌ)”}”(hŒOS related aspects”h]”hŒOS related aspects”…””}”(hjuh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´Khjrubah}”(h]”h ]”h"]”h$]”h&]”uh1jBhj?ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j=hj:ubah}”(h]”h ]”h"]”h$]”h&]”uh1j8hjubeh}”(h]”h ]”h"]”h$]”h&]”Œcols”Kuh1jhjubah}”(h]”h ]”h"]”h$]”h&]”uh1jhj ubah}”(h]”h ]”h"]”h$]”h&]”uh1jh³hÊh´Khhéh²hubeh}”(h]”Œ related-cves”ah ]”h"]”Œ related cves”ah$]”h&]”uh1hµhh·h²hh³hÊh´Kubh¶)”}”(hhh]”(h»)”}”(hŒUsage Guidelines”h]”hŒUsage Guidelines”…””}”(hj³h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hºhj°h²hh³hÊh´KubhÌ)”}”(hŒbPlease see document: :ref:`Documentation/userspace-api/spec_ctrl.rst ` for details.”h]”(hŒPlease see document: ”…””}”(hjÁh²hh³Nh´Nubh)”}”(hŒ@:ref:`Documentation/userspace-api/spec_ctrl.rst `”h]”hŒinline”“”)”}”(hjËh]”hŒ)Documentation/userspace-api/spec_ctrl.rst”…””}”(hjÏh²hh³Nh´Nubah}”(h]”h ]”(Œxref”Œstd”Œstd-ref”eh"]”h$]”h&]”uh1jÍhjÉubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”Œadmin-guide/hw-vuln/l1d_flush”Œ refdomain”jÚŒreftype”Œref”Œ refexplicit”ˆŒrefwarn”ˆŒ reftarget”Œ set_spec_ctrl”uh1hh³hÊh´KhjÁubhŒ for details.”…””}”(hjÁh²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´Khj°h²hubhÌ)”}”(hŒr**NOTE**: The feature is disabled by default, applications need to specifically opt into the feature to enable it.”h]”(hŒstrong”“”)”}”(hŒ**NOTE**”h]”hŒNOTE”…””}”(hjþh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jühjøubhŒj: The feature is disabled by default, applications need to specifically opt into the feature to enable it.”…””}”(hjøh²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´Khj°h²hubeh}”(h]”Œusage-guidelines”ah ]”h"]”Œusage guidelines”ah$]”h&]”uh1hµhh·h²hh³hÊh´Kubh¶)”}”(hhh]”(h»)”}”(hŒ Mitigation”h]”hŒ Mitigation”…””}”(hj!h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hºhjh²hh³hÊh´K ubhÌ)”}”(hŒÒWhen PR_SPEC_L1D_FLUSH is enabled for a task a flush of the L1D cache is performed when the task is scheduled out and the incoming task belongs to a different process and therefore to a different address space.”h]”hŒÒWhen PR_SPEC_L1D_FLUSH is enabled for a task a flush of the L1D cache is performed when the task is scheduled out and the incoming task belongs to a different process and therefore to a different address space.”…””}”(hj/h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K"hjh²hubhÌ)”}”(hŒIf the underlying CPU supports L1D flushing in hardware, the hardware mechanism is used, software fallback for the mitigation, is not supported.”h]”hŒIf the underlying CPU supports L1D flushing in hardware, the hardware mechanism is used, software fallback for the mitigation, is not supported.”…””}”(hj=h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K&hjh²hubeh}”(h]”Œ mitigation”ah ]”h"]”Œ mitigation”ah$]”h&]”uh1hµhh·h²hh³hÊh´K ubh¶)”}”(hhh]”(h»)”}”(hŒ-Mitigation control on the kernel command line”h]”hŒ-Mitigation control on the kernel command line”…””}”(hjVh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hºhjSh²hh³hÊh´K*ubhÌ)”}”(hŒ—The kernel command line allows to control the L1D flush mitigations at boot time with the option "l1d_flush=". The valid arguments for this option are:”h]”hŒ›The kernel command line allows to control the L1D flush mitigations at boot time with the option “l1d_flush=â€. The valid arguments for this option are:”…””}”(hjdh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K,hjSh²hubj )”}”(hX:============ ============================================================= on Enables the prctl interface, applications trying to use the prctl() will fail with an error if l1d_flush is not enabled ============ ============================================================= ”h]”j)”}”(hhh]”j)”}”(hhh]”(j)”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”K uh1jhjyubj)”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”K=uh1jhjyubj9)”}”(hhh]”j>)”}”(hhh]”(jC)”}”(hhh]”hÌ)”}”(hŒon”h]”hŒon”…””}”(hj™h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K0hj–ubah}”(h]”h ]”h"]”h$]”h&]”uh1jBhj“ubjC)”}”(hhh]”hÌ)”}”(hŒwEnables the prctl interface, applications trying to use the prctl() will fail with an error if l1d_flush is not enabled”h]”hŒwEnables the prctl interface, applications trying to use the prctl() will fail with an error if l1d_flush is not enabled”…””}”(hj°h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K0hj­ubah}”(h]”h ]”h"]”h$]”h&]”uh1jBhj“ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j=hjubah}”(h]”h ]”h"]”h$]”h&]”uh1j8hjyubeh}”(h]”h ]”h"]”h$]”h&]”Œcols”Kuh1jhjvubah}”(h]”h ]”h"]”h$]”h&]”uh1jhjrubah}”(h]”h ]”h"]”h$]”h&]”uh1jh³hÊh´K/hjSh²hubhÌ)”}”(hŒ%By default the mechanism is disabled.”h]”hŒ%By default the mechanism is disabled.”…””}”(hjãh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K5hjSh²hubeh}”(h]”Œ-mitigation-control-on-the-kernel-command-line”ah ]”h"]”Œ-mitigation control on the kernel command line”ah$]”h&]”uh1hµhh·h²hh³hÊh´K*ubh¶)”}”(hhh]”(h»)”}”(hŒ Limitations”h]”hŒ Limitations”…””}”(hjüh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hºhjùh²hh³hÊh´K8ubhÌ)”}”(hŒËThe mechanism does not mitigate L1D data leaks between tasks belonging to different processes which are concurrently executing on sibling threads of a physical CPU core when SMT is enabled on the system.”h]”hŒËThe mechanism does not mitigate L1D data leaks between tasks belonging to different processes which are concurrently executing on sibling threads of a physical CPU core when SMT is enabled on the system.”…””}”(hj h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K:hjùh²hubhÌ)”}”(hŒàThis can be addressed by controlled placement of processes on physical CPU cores or by disabling SMT. See the relevant chapter in the L1TF mitigation document: :ref:`Documentation/admin-guide/hw-vuln/l1tf.rst `.”h]”(hŒ This can be addressed by controlled placement of processes on physical CPU cores or by disabling SMT. See the relevant chapter in the L1TF mitigation document: ”…””}”(hjh²hh³Nh´Nubh)”}”(hŒ?:ref:`Documentation/admin-guide/hw-vuln/l1tf.rst `”h]”jÎ)”}”(hj"h]”hŒ*Documentation/admin-guide/hw-vuln/l1tf.rst”…””}”(hj$h²hh³Nh´Nubah}”(h]”h ]”(jÙŒstd”Œstd-ref”eh"]”h$]”h&]”uh1jÍhj ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”jæŒ refdomain”j.Œreftype”Œref”Œ refexplicit”ˆŒrefwarn”ˆjìŒ smt_control”uh1hh³hÊh´K>hjubhŒ.”…””}”(hjh²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K>hjùh²hubhÌ)”}”(hŒò**NOTE** : The opt-in of a task for L1D flushing works only when the task's affinity is limited to cores running in non-SMT mode. If a task which requested L1D flushing is scheduled on a SMT-enabled core the kernel sends a SIGBUS to the task.”h]”(jý)”}”(hŒ**NOTE**”h]”hŒNOTE”…””}”(hjNh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jühjJubhŒì : The opt-in of a task for L1D flushing works only when the task’s affinity is limited to cores running in non-SMT mode. If a task which requested L1D flushing is scheduled on a SMT-enabled core the kernel sends a SIGBUS to the task.”…””}”(hjJh²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´KBhjùh²hubeh}”(h]”Œ limitations”ah ]”h"]”Œ limitations”ah$]”h&]”uh1hµhh·h²hh³hÊh´K8ubeh}”(h]”Œ l1d-flushing”ah ]”h"]”Œ l1d flushing”ah$]”h&]”uh1hµhhh²hh³hÊh´Kubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”hÊuh1hŒcurrent_source”NŒ current_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(hºNŒ generator”NŒ datestamp”NŒ source_link”NŒ source_url”NŒ toc_backlinks”jBŒfootnote_backlinks”KŒ sectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒ strip_classes”NŒ report_level”KŒ halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ traceback”ˆŒinput_encoding”Œ utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”j˜Œerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œ language_code”Œen”Œrecord_dependencies”NŒconfig”NŒ id_prefix”hŒauto_id_prefix”Œid”Œ dump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”hÊŒ _destination”NŒ _config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒ raw_enabled”KŒline_length_limit”M'Œpep_references”NŒ pep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒ rfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œ smart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œ docinfo_xform”KŒsectsubtitle_xform”‰Œ image_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”Œrefids”}”Œnameids”}”(jsjpj­jªjjjPjMjöjójkjhuŒ nametypes”}”(js‰j­‰j‰jP‰jö‰jk‰uh}”(jph·jªhéjj°jMjjójSjhjùuŒ footnote_refs”}”Œ citation_refs”}”Œ autofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ footnotes”]”Œ citations”]”Œautofootnote_start”KŒsymbol_footnote_start”KŒ id_counter”Œ collections”ŒCounter”“”}”…”R”Œparse_messages”]”Œtransform_messages”]”Œ transformer”NŒ include_log”]”Œ decoration”Nh²hub.