View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions How is Linode handling L1TF? What actions can we take to mitigate?
Log in to Ask a Question

How is Linode handling L1TF? What actions can we take to mitigate?

Amazon AWS says they have some platform-wide fix in place that prevents it from affecting EC2:

https://aws.amazon.com/security/security-bulletins/AWS-2018-019/

Digital Ocean says it does affect them, and they are working on a fix:

https://blog.digitalocean.com/a-message-about-l1tf/

What's the story for Linode?

What can we do to protect ourselves in the meantime?

3 Replies

Indeed looking forward to Linode's heads up. Hoping more Linode roll out of AMD EPYC based host nodes too :)

Linode Staff

I just posted some general information on L1TF here. We'll have a blog post up shortly, so stay tuned to our blog.

In response to your specific questions:

What's the story for Linode?

We're still investigating L1TF's impact on Linode and our customers.

What can we do to protect ourselves in the meantime?

Updating your kernel will help. If you use the Linode kernel, make sure your kernel is set to "Latest", and reboot. 4.17.15 and up contain patches for L1TF.

If you use a distribution-supplied kernel, you'll need to update with your package manager and reboot.

Let us know if you have more questions on this.

I think more is need that just Kernel update according to https://blogs.oracle.com/oraclesecurity/intel-l1tf

The technical steps Intel recommends to mitigate L1TF vulnerabilities on affected systems include:

  • Ensuring that affected Intel processors are running the latest Intel processor microcode. Intel reports that the microcode update it has released for the Spectre 3a (CVE-2018-3640) and Spectre 4 (CVE-2018-3639) vulnerabilities also contains the microcode instructions which can be used to mitigate the L1TF vulnerabilities. Updated microcode by itself is not sufficient to protect against L1TF.
  • Applying the necessary OS and virtualization software patches against affected systems. To be effective, OS patches will require the presence of the updated Intel processor microcode. This is because updated microcode by itself is not sufficient to protect against L1TF. Corresponding OS and virtualization software updates are also required to mitigate the L1TF vulnerabilities present in Intel processors.
  • Disabling Intel Hyper-Threading technology in some situations. Disabling HT alone is not sufficient for mitigating L1TF vulnerabilities. Disabling HT will result in significant performance degradation.

Appreciate the hard work Linode is doing

Nice seems you also fixed the issues outlined at https://www.linode.com/community/questions/17069/network-issues-with-latest-kernel My Linode can reboot with 4.17.15-x86_64-linode115

uname -r
4.17.15-x86_64-linode115

cheers

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct