€•í5Œsphinx.addnodes”Œdocument”“”)”}”(Œ rawsource”Œ”Œchildren”]”(Œ translations”Œ LanguagesNode”“”)”}”(hhh]”(hŒ pending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ refdomain”Œstd”Œreftype”Œdoc”Œ reftarget”Œ1/translations/zh_CN/admin-guide/hw-vuln/l1d_flush”Œmodname”NŒ classname”NŒ refexplicit”ˆuŒtagname”hhh ubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ1/translations/zh_TW/admin-guide/hw-vuln/l1d_flush”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ1/translations/it_IT/admin-guide/hw-vuln/l1d_flush”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ1/translations/ja_JP/admin-guide/hw-vuln/l1d_flush”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ1/translations/ko_KR/admin-guide/hw-vuln/l1d_flush”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒSpanish”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ1/translations/sp_SP/admin-guide/hw-vuln/l1d_flush”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h hhŒ _document”hŒsource”NŒline”NubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒ L1D Flushing”h]”hŒ L1D Flushing”…””}”(hh¨hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¦hh£hžhhŸŒK/var/lib/git/docbuild/linux/Documentation/admin-guide/hw-vuln/l1d_flush.rst”h KubhŒ paragraph”“”)”}”(hŒÁWith an increasing number of vulnerabilities being reported around data leaks from the Level 1 Data cache (L1D) the kernel provides an opt-in mechanism to flush the L1D cache on context switch.”h]”hŒÁWith an increasing number of vulnerabilities being reported around data leaks from the Level 1 Data cache (L1D) the kernel provides an opt-in mechanism to flush the L1D cache on context switch.”…””}”(hh¹hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khh£hžhubh¸)”}”(hŒ±This mechanism can be used to address e.g. CVE-2020-0550. For applications the mechanism keeps them safe from vulnerabilities, related to leaks (snooping of) from the L1D cache.”h]”hŒ±This mechanism can be used to address e.g. CVE-2020-0550. For applications the mechanism keeps them safe from vulnerabilities, related to leaks (snooping of) from the L1D cache.”…””}”(hhÇhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khh£hžhubh¢)”}”(hhh]”(h§)”}”(hŒ Related CVEs”h]”hŒ Related CVEs”…””}”(hhØhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¦hhÕhžhhŸh¶h Kubh¸)”}”(hŒ5The following CVEs can be addressed by this mechanism”h]”hŒ5The following CVEs can be addressed by this mechanism”…””}”(hhæhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KhhÕhžhubhŒ block_quote”“”)”}”(hŒÌ============= ======================== ================== CVE-2020-0550 Improper Data Forwarding OS related aspects ============= ======================== ================== ”h]”hŒtable”“”)”}”(hhh]”hŒtgroup”“”)”}”(hhh]”(hŒcolspec”“”)”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”K uh1jhjubj)”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”Kuh1jhjubj)”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”Kuh1jhjubhŒtbody”“”)”}”(hhh]”hŒrow”“”)”}”(hhh]”(hŒentry”“”)”}”(hhh]”h¸)”}”(hŒ CVE-2020-0550”h]”hŒ CVE-2020-0550”…””}”(hj3hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khj0ubah}”(h]”h ]”h"]”h$]”h&]”uh1j.hj+ubj/)”}”(hhh]”h¸)”}”(hŒImproper Data Forwarding”h]”hŒImproper Data Forwarding”…””}”(hjJhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KhjGubah}”(h]”h ]”h"]”h$]”h&]”uh1j.hj+ubj/)”}”(hhh]”h¸)”}”(hŒOS related aspects”h]”hŒOS related aspects”…””}”(hjahžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khj^ubah}”(h]”h ]”h"]”h$]”h&]”uh1j.hj+ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j)hj&ubah}”(h]”h ]”h"]”h$]”h&]”uh1j$hjubeh}”(h]”h ]”h"]”h$]”h&]”Œcols”Kuh1hÿhhüubah}”(h]”h ]”h"]”h$]”h&]”uh1húhhöubah}”(h]”h ]”h"]”h$]”h&]”uh1hôhŸh¶h KhhÕhžhubeh}”(h]”Œ related-cves”ah ]”h"]”Œ related cves”ah$]”h&]”uh1h¡hh£hžhhŸh¶h Kubh¢)”}”(hhh]”(h§)”}”(hŒUsage Guidelines”h]”hŒUsage Guidelines”…””}”(hjŸhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¦hjœhžhhŸh¶h Kubh¸)”}”(hŒbPlease see document: :ref:`Documentation/userspace-api/spec_ctrl.rst ` for details.”h]”(hŒPlease see document: ”…””}”(hj­hžhhŸNh Nubh)”}”(hŒ@:ref:`Documentation/userspace-api/spec_ctrl.rst `”h]”hŒinline”“”)”}”(hj·h]”hŒ)Documentation/userspace-api/spec_ctrl.rst”…””}”(hj»hžhhŸNh Nubah}”(h]”h ]”(Œxref”Œstd”Œstd-ref”eh"]”h$]”h&]”uh1j¹hjµubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”Œadmin-guide/hw-vuln/l1d_flush”Œ refdomain”jÆŒreftype”Œref”Œ refexplicit”ˆŒrefwarn”ˆŒ reftarget”Œ set_spec_ctrl”uh1hhŸh¶h Khj­ubhŒ for details.”…””}”(hj­hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khjœhžhubh¸)”}”(hŒr**NOTE**: The feature is disabled by default, applications need to specifically opt into the feature to enable it.”h]”(hŒstrong”“”)”}”(hŒ**NOTE**”h]”hŒNOTE”…””}”(hjêhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jèhjäubhŒj: The feature is disabled by default, applications need to specifically opt into the feature to enable it.”…””}”(hjähžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khjœhžhubeh}”(h]”Œusage-guidelines”ah ]”h"]”Œusage guidelines”ah$]”h&]”uh1h¡hh£hžhhŸh¶h Kubh¢)”}”(hhh]”(h§)”}”(hŒ Mitigation”h]”hŒ Mitigation”…””}”(hj hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¦hj hžhhŸh¶h K ubh¸)”}”(hŒÑWhen PR_SET_L1D_FLUSH is enabled for a task a flush of the L1D cache is performed when the task is scheduled out and the incoming task belongs to a different process and therefore to a different address space.”h]”hŒÑWhen PR_SET_L1D_FLUSH is enabled for a task a flush of the L1D cache is performed when the task is scheduled out and the incoming task belongs to a different process and therefore to a different address space.”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K"hj hžhubh¸)”}”(hŒIf the underlying CPU supports L1D flushing in hardware, the hardware mechanism is used, software fallback for the mitigation, is not supported.”h]”hŒIf the underlying CPU supports L1D flushing in hardware, the hardware mechanism is used, software fallback for the mitigation, is not supported.”…””}”(hj)hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K&hj hžhubeh}”(h]”Œ mitigation”ah ]”h"]”Œ mitigation”ah$]”h&]”uh1h¡hh£hžhhŸh¶h K ubh¢)”}”(hhh]”(h§)”}”(hŒ-Mitigation control on the kernel command line”h]”hŒ-Mitigation control on the kernel command line”…””}”(hjBhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¦hj?hžhhŸh¶h K*ubh¸)”}”(hŒ—The kernel command line allows to control the L1D flush mitigations at boot time with the option "l1d_flush=". The valid arguments for this option are:”h]”hŒ›The kernel command line allows to control the L1D flush mitigations at boot time with the option “l1d_flush=â€. The valid arguments for this option are:”…””}”(hjPhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K,hj?hžhubhõ)”}”(hX:============ ============================================================= on Enables the prctl interface, applications trying to use the prctl() will fail with an error if l1d_flush is not enabled ============ ============================================================= ”h]”hû)”}”(hhh]”j)”}”(hhh]”(j)”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”K uh1jhjeubj)”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”K=uh1jhjeubj%)”}”(hhh]”j*)”}”(hhh]”(j/)”}”(hhh]”h¸)”}”(hŒon”h]”hŒon”…””}”(hj…hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K0hj‚ubah}”(h]”h ]”h"]”h$]”h&]”uh1j.hjubj/)”}”(hhh]”h¸)”}”(hŒwEnables the prctl interface, applications trying to use the prctl() will fail with an error if l1d_flush is not enabled”h]”hŒwEnables the prctl interface, applications trying to use the prctl() will fail with an error if l1d_flush is not enabled”…””}”(hjœhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K0hj™ubah}”(h]”h ]”h"]”h$]”h&]”uh1j.hjubeh}”(h]”h ]”h"]”h$]”h&]”uh1j)hj|ubah}”(h]”h ]”h"]”h$]”h&]”uh1j$hjeubeh}”(h]”h ]”h"]”h$]”h&]”Œcols”Kuh1hÿhjbubah}”(h]”h ]”h"]”h$]”h&]”uh1húhj^ubah}”(h]”h ]”h"]”h$]”h&]”uh1hôhŸh¶h K/hj?hžhubh¸)”}”(hŒ%By default the mechanism is disabled.”h]”hŒ%By default the mechanism is disabled.”…””}”(hjÏhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K5hj?hžhubeh}”(h]”Œ-mitigation-control-on-the-kernel-command-line”ah ]”h"]”Œ-mitigation control on the kernel command line”ah$]”h&]”uh1h¡hh£hžhhŸh¶h K*ubh¢)”}”(hhh]”(h§)”}”(hŒ Limitations”h]”hŒ Limitations”…””}”(hjèhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¦hjåhžhhŸh¶h K8ubh¸)”}”(hŒËThe mechanism does not mitigate L1D data leaks between tasks belonging to different processes which are concurrently executing on sibling threads of a physical CPU core when SMT is enabled on the system.”h]”hŒËThe mechanism does not mitigate L1D data leaks between tasks belonging to different processes which are concurrently executing on sibling threads of a physical CPU core when SMT is enabled on the system.”…””}”(hjöhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K:hjåhžhubh¸)”}”(hŒàThis can be addressed by controlled placement of processes on physical CPU cores or by disabling SMT. See the relevant chapter in the L1TF mitigation document: :ref:`Documentation/admin-guide/hw-vuln/l1tf.rst `.”h]”(hŒ This can be addressed by controlled placement of processes on physical CPU cores or by disabling SMT. See the relevant chapter in the L1TF mitigation document: ”…””}”(hjhžhhŸNh Nubh)”}”(hŒ?:ref:`Documentation/admin-guide/hw-vuln/l1tf.rst `”h]”jº)”}”(hjh]”hŒ*Documentation/admin-guide/hw-vuln/l1tf.rst”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”(jÅŒstd”Œstd-ref”eh"]”h$]”h&]”uh1j¹hj ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”jÒŒ refdomain”jŒreftype”Œref”Œ refexplicit”ˆŒrefwarn”ˆjØŒ smt_control”uh1hhŸh¶h K>hjubhŒ.”…””}”(hjhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K>hjåhžhubh¸)”}”(hŒò**NOTE** : The opt-in of a task for L1D flushing works only when the task's affinity is limited to cores running in non-SMT mode. If a task which requested L1D flushing is scheduled on a SMT-enabled core the kernel sends a SIGBUS to the task.”h]”(jé)”}”(hŒ**NOTE**”h]”hŒNOTE”…””}”(hj:hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jèhj6ubhŒì : The opt-in of a task for L1D flushing works only when the task’s affinity is limited to cores running in non-SMT mode. If a task which requested L1D flushing is scheduled on a SMT-enabled core the kernel sends a SIGBUS to the task.”…””}”(hj6hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h KBhjåhžhubeh}”(h]”Œ limitations”ah ]”h"]”Œ limitations”ah$]”h&]”uh1h¡hh£hžhhŸh¶h K8ubeh}”(h]”Œ l1d-flushing”ah ]”h"]”Œ l1d flushing”ah$]”h&]”uh1h¡hhhžhhŸh¶h Kubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”h¶uh1hŒcurrent_source”NŒ current_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(h¦NŒ generator”NŒ datestamp”NŒ source_link”NŒ source_url”NŒ toc_backlinks”j.Œfootnote_backlinks”KŒ sectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒ strip_classes”NŒ report_level”KŒ halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ traceback”ˆŒinput_encoding”Œ utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”j„Œerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œ language_code”Œen”Œrecord_dependencies”NŒconfig”NŒ id_prefix”hŒauto_id_prefix”Œid”Œ dump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”h¶Œ _destination”NŒ _config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒ raw_enabled”KŒline_length_limit”M'Œpep_references”NŒ pep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒ rfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œ smart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œ docinfo_xform”KŒsectsubtitle_xform”‰Œ image_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”Œrefids”}”Œnameids”}”(j_j\j™j–jjj<j9jâjßjWjTuŒ nametypes”}”(j_‰j™‰j‰j<‰jâ‰jW‰uh}”(j\h£j–hÕjjœj9j jßj?jTjåuŒ footnote_refs”}”Œ citation_refs”}”Œ autofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ footnotes”]”Œ citations”]”Œautofootnote_start”KŒsymbol_footnote_start”KŒ id_counter”Œ collections”ŒCounter”“”}”…”R”Œparse_messages”]”Œtransform_messages”]”Œ transformer”NŒ include_log”]”Œ decoration”Nhžhub.