Comment by LinuxBender
8 years ago
Probably in most cases.
Vmware have disclaimers in the mitigation options that preclude turning off HT, meaning, use at your own risk. [1]
I am still waiting on a comment from Linode [2]
Openstack have some knobs you can adjust, but it really depends on your workloads and what risk you are willing to accept. [3]
AWS have their own custom hypervisor and are said to have worked around the issue. [4] Amazon had info on this before others. It appears they have a special relationship with Intel?
I have not found any hardware or OS vendors that are willing to say that you can leave HT enabled. It is a very heated topic because folks will have to increase their VM infrastructure anywhere from 5% to 50% depending on their workload profiles. For public clouds, you can't predict workload profiles.
Edit: Oops I left out the main site for L1TF [5]
[1] - https://kb.vmware.com/s/article/55806
[2] - https://blog.linode.com/2018/08/16/intels-l1tf-cpu-vulnerabi...
[3] - https://access.redhat.com/articles/3569281
[4] - https://aws.amazon.com/security/security-bulletins/AWS-2018-...
AWS is able to get custom Intel Processors due to their size (c5 instances have a custom Intel processor).
Makes sense. I sure would like some custom processors. :-)
Well, fabbing using reasonably respectable processes only runs circa $2000/mm2 or so, and using crazy old process nodes like CMOS et al gets you down to $300/mm2, so you could very well make something.
Technically.
(I want to...)
Microsoft has stated that you can leave HT enabled when using Hyper-V on Windows 2016. The same mitigations have allowed them to keep HT enabled in Azure.
https://blogs.technet.microsoft.com/virtualization/2018/08/1...