# Apply settings after updating software to address CVE-2018-3620 # # Playbook Ver. 1.1 # # This playbook will help you set configuration parameters to increase the # security of your systems after updating your software to address # CVE-2018-3620. It will enable unconditional L1 D$ flushes on VMenter calls, # and optionally also disable SMT. # # See https://access.redhat.com/security/vulnerabilities/L1TF for full details. # # OPTIONS: # # FLUSH - Enable unconditional L1 D$ flush on VMenter. # # NOSMT - Disables SMT for the system if the kernel detects that the system is # vulnerable to L1TF. NOTE: SMT will not be disabled if KVM virtual machines # are detected, as this can cause unpredictable behavior and possible data # loss. # # FORCE - If SMT is specified, disable SMT at boot time, and do not allow it # to be reenabled at runtime. # # RESET - Attempts to reset the system to the default state, e.g. conditional # L1 D$ flush on VMenter if EPT is supported and enabled. NOTE: To avoid making # unwanted changes to the system state, RESET will *not* re-enable SMT at run- # time. It will remove any L1TF-related kernel arguments, which, if that was the # only means by which SMT was disabled, will re-enable it at the next reboot. # # CHANGES: # # 1.1 (2018-08-15) Change the argument SMT to NOSMT for clarity, fix issue with # only disabling SMT. # --- - name: Apply CVE-2018-3620 Settings hosts: "{{HOSTS}}" become: true vars: FLUSH: '0' NOSMT: '0' FORCE: '0' RESET: '0' tasks: # Check consistency of arguments - fail: msg: "Conflicting options specified. Please only specify either FLUSH and/or NOSMT and optionally FORCE to enable mitigations, or RESET to remove mitigations." when: RESET == '1' and (NOSMT == '1' or FLUSH == '1') - fail: msg: 'Unexpected value. Please specify e.g. -e "NOSMT=1 FORCE=1" or -e "RESET=1"' when: > (FLUSH != '0' and FLUSH != '1') or (RESET != '0' and RESET != '1') or (NOSMT != '0' and NOSMT != '1') or (FORCE != '0' and FORCE != '1') - name: Detect updated kernel stat: path: /sys/devices/system/cpu/smt/active register: smt_stat - fail: msg: System needs kernel update. when: not smt_stat.stat.exists - name: Detect running libvirt VMs shell: ps -ef | grep [q]emu-kvm register: vmlist failed_when: False changed_when: False - name: Detect running nova-compute shell: ps -ef | grep [n]ova-compute register: nova failed_when: False changed_when: False - fail: msg: "This system appears to be acting as a hypervisor. Offlining cores/threads at runtime while VMs are running can cause unpredictable behavior, including data loss. Either stop all running VMs, or disable hyperthreading via another method, such as in the system BIOS." when: (vmlist.rc != 1 or nova.rc != 1) and NOSMT != '0' # Apply requested settings - name: Flush L1 D$ on VMenter (KVM) command: grubby --args "kvm-intel.vmentry_l1d_flush=always" --update-kernel=ALL when: FLUSH == '1' - name: Flush L1 D$ on VMenter (kernel) command: grubby --args "l1tf=flush" when: FLUSH == '1' and NOSMT == '0' - name: Flush L1 D$ on VMenter (kernel) and Disable SMT (allow runtime changes) command: grubby --args "l1tf=full" --update-kernel=ALL when: NOSMT == '1' and FLUSH == '1' and FORCE == '0' - name: Flush L1 D$ on VMenter (kernel) and Disable SMT (don't allow runtime changes) command: grubby --args "l1tf=full,force" --update-kernel=ALL when: NOSMT == '1' and FLUSH == '1' and FORCE == '1' - name: Disable SMT (allow runtime changes) command: grubby --args "l1tf=flush,nosmt" --update-kernel=ALL when: NOSMT == '1' and FLUSH == '0' and FORCE == '0' - name: Disable SMT (don't allow runtime changes) command: grubby --args "l1tf=flush,nosmt,force" --update-kernel=ALL when: NOSMT == '1' and FLUSH == '0' and FORCE == '1' - name: Disable SMT for the running system shell: echo 'off' > /sys/devices/system/cpu/smt/control when: NOSMT == '1' - name: Conditionally flush L1 D$ (KVM) command: grubby --remove-args "kvm-intel.vmentry_l1d_flush" --update-kernel=ALL when: RESET == '1' - name: Conditionally flush L1 D$ (kernel) command: grubby --remove-args "l1tf" --update-kernel=ALL when: RESET == '1'