# Apply settings after updating software to address CVE-2018-3620 # # Playbook Ver. 1.0 # # This playbook will help you set configuration parameters to increase the # security of your systems after updating your software to address # CVE-2018-3620. It will enable unconditional L1 D$ flushes on VMenter calls, # and optionally also disable SMT. # # See https://access.redhat.com/security/vulnerabilities/L1TF for full details. # # OPTIONS: # # FLUSH - Enable unconditional L1 D$ flush on VMenter. # # SMT - Disables SMT for the system. NOTE: SMT will not be disabled if KVM # virtual machines are detected, as this can cause unpredictable behavior and # possible data loss. # # FORCE - If SMT is specified, disable SMT at boot time, and do not allow it # to be reenabled at runtime. # # RESET - Attempts to reset the system to the default state, e.g. conditional # L1 D$ flush on VMenter if EPT is supported and enabled. NOTE: To avoid making # unwanted changes to the system state, RESET will *not* re-enable SMT at run- # time. It will remove any L1TF-related kernel arguments, which, if that was the # only means by which SMT was disabled, will re-enable it at the next reboot. # --- - name: Apply CVE-2018-3620 Settings hosts: "{{HOSTS}}" become: true vars: FLUSH: '0' SMT: '0' FORCE: '0' RESET: '0' tasks: # Check consistency of arguments - fail: msg: "Conflicting options specified. Please only specify either SMT and optionally FORCE to enable mitigations, or RESET to remove mitigations." when: RESET == '1' and (SMT == '1' or FLUSH == '1') - fail: msg: 'Unexpected value. Please specify e.g. -e "SMT=1 FORCE=1" or -e "RESET=1"' when: > (FLUSH != '0' and FLUSH != '1') or (RESET != '0' and RESET != '1') or (SMT != '0' and SMT != '1') or (FORCE != '0' and FORCE != '1') - name: Detect updated kernel stat: path: /sys/devices/system/cpu/smt/active register: smt_stat - fail: msg: System needs kernel update. when: not smt_stat.stat.exists - name: Detect running libvirt VMs shell: ps -ef | grep [q]emu-kvm register: vmlist failed_when: False changed_when: False - fail: msg: "This system appears to be acting as a hypervisor. Offlining cores/threads at runtime while VMs are running can cause unpredictable behavior, including data loss. Either stop all running VMs, or disable hyperthreading via another method, such as in the system BIOS." when: vmlist.rc != 1 and SMT != '0' # Apply requested settings - name: Flush L1 D$ on VMenter (KVM) command: grubby --args "kvm-intel.vmentry_l1d_flush=always" --update-kernel=ALL when: FLUSH == '1' - name: Flush L1 D$ on VMenter (kernel) command: grubby --args "l1tf=flush" when: FLUSH == '1' and SMT == '0' - name: Flush L1 D$ on VMenter (kernel) and Disable SMT (allow runtime changes) command: grubby --args "l1tf=full" --update-kernel=ALL when: SMT == '1' and FLUSH == '1' and FORCE == '0' - name: Flush L1 D$ on VMenter (kernel) and Disable SMT (don't allow runtime changes) command: grubby --args "l1tf=full,force" --update-kernel=ALL when: SMT == '1' and FLUSH == '1' and FORCE == '1' - name: Disable SMT (allow runtime changes) command: grubby --args "l1tf=nosmt" --update-kernel=ALL when: SMT == '1' and FLUSH == '0' and FORCE == '0' - name: Disable SMT (don't allow runtime changes) command: grubby --args "l1tf=nosmt,force" --update-kernel=ALL when: SMT == '1' and FLUSH == '0' and FORCE == '1' - name: Disable SMT for the running system shell: echo 'off' > /sys/devices/system/cpu/smt/control when: SMT == '1' - name: Conditionally flush L1 D$ (KVM) command: grubby --remove-args "kvm-intel.vmentry_l1d_flush" --update-kernel=ALL when: RESET == '1' - name: Conditionally flush L1 D$ (kernel) command: grubby --remove-args "l1tf" --update-kernel=ALL when: RESET == '1'