CVE-2018-3646: Misleading not vulnerable status?

[lum1nate]

CVE-2018-3646 covers the virtualization related aspects of the L1TF vulnerability.

According to https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html, L1D flushing is "only potent" when combined with guest CPU isolation (i.e. isolated cores that don't run anything else) and interrupt isolation. Even then, it says that only either disabling SMT or EPT can fully mitigate the vulnerability (see section 3.3).

Anyway, the script gives me a status of "NOT VULNERABLE (L1D flushing is enabled and mitigates the vulnerability)" on a i7-4790k, despite having both EPT and SMT enabled. In this case, it might be more accurate to have it say something like "VULNERABLE/PARTIALLY MITIGATED" (perhaps with a link to the guide above).

Thanks for making this helpful script!

[CO-lhageman]

Yes, it is not fully mitigated, but is it harder to exploit. Try running the script with the --paranoid flag, that gives you a warning if it isn't fully mitigated.