Skip to content

Configure L1 Terminal Fault mitigations

An XCCDF Rule

Description

L1 Terminal Fault (L1TF) is a hardware vulnerability which allows unprivileged speculative access to data which is available in the Level 1 Data Cache when the page table entry isn't present. Select the appropriate mitigation by adding the argument l1tf= to the default GRUB 2 command line for the Linux operating system. To ensure that l1tf= is added as a kernel command line argument to newly installed kernels, add l1tf= to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below:

GRUB_CMDLINE_LINUX="... l1tf= ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="l1tf="
Since Linux Kernel 4.19 you can check the L1TF vulnerability state with the following command: cat /sys/devices/system/cpu/vulnerabilities/l1tf

warning alert: Performance Warning

Enabling L1TF mitigations may impact performance of the system.

Rationale

The L1TF vulnerability allows an attacker to bypass memory access security controls imposed by the system or hypervisor. The L1TF vulnerability allows read access to any physical memory location that is cached in the L1 Data Cache.

ID
xccdf_org.ssgproject.content_rule_grub2_l1tf_argument
Severity
High
References
Updated



Remediation - script:kickstart


bootloader l1tf=<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_l1tf_options" use="legacy"/>
            

Remediation - OS Build Blueprint

[customizations.kernel]
append = "l1tf=<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_l1tf_options" use="legacy"/>"

Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - grub2_l1tf_argument
  - high_severity

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

var_l1tf_options='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_l1tf_options" use="legacy"/>'