Skip to content

Configure L1 Terminal Fault mitigations

An XCCDF Rule

Description

L1 Terminal Fault (L1TF) is a hardware vulnerability which allows unprivileged speculative access to data which is available in the Level 1 Data Cache when the page table entry isn't present. Select the appropriate mitigation by adding the argument l1tf= to the default GRUB 2 command line for the Linux operating system. Configure the default Grub2 kernel command line to contain l1tf= as follows:

# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) l1tf="
Since Linux Kernel 4.19 you can check the L1TF vulnerability state with the following command: cat /sys/devices/system/cpu/vulnerabilities/l1tf

warning alert: Performance Warning

Enabling L1TF mitigations may impact performance of the system.

Rationale

The L1TF vulnerability allows an attacker to bypass memory access security controls imposed by the system or hypervisor. The L1TF vulnerability allows read access to any physical memory location that is cached in the L1 Data Cache.

ID
xccdf_org.ssgproject.content_rule_grub2_l1tf_argument
Severity
High
References
Updated



Remediation - OS Build Blueprint

[customizations.kernel]
append = "l1tf=<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_l1tf_options" use="legacy"/>"

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

var_l1tf_options='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_l1tf_options" use="legacy"/>'



Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - grub2_l1tf_argument
  - high_severity