A Brief Introduction to L1TF aka Foreshadow
This latest Intel CPU vulnerability exploits the same general mechanism that the Spectre and Meltdown vulnerabilities uncovered earlier in the year. This mechanism is called “speculative execution” and refers to the technique where a CPU attempts to guess the work that will be needed in the near future and complete that work before it is needed.
Modern CPUs have several cores (think mini-CPUs within the CPU chip) that are able to work independently of each other. This means that a modern multi-core CPU often has cores that are idling rather than working on the current task.
Speculative execution attempts to put those idling cores to work by guessing the work that the CPU will shortly have to perform and using one of the idling cores to perform that work before it is needed. If the CPU guesses correctly a significant performance gain is achieved by pre-computing work on CPU cores that would otherwise not be doing anything. If the CPU guesses incorrectly then the pre-computed work is discarded resulting in no net performance loss.
The exploits that target speculative execution manipulate the CPU into revealing normally inaccessible and protected, private memory. This is of particular concern to servers hosting virtual machines such as Cloud VPSs as it is theoretically possible for one virtual machine to access the data that is held in the memory of another virtual machine on the same host server.
Fortunately, as of writing, no malicious software exploiting this vulnerability has been discovered.
Memset Mitigations Against L1TF
The mitigations against L1TF include updates to CPU microcode, the Linux kernel and the virtualisation software that we use, Xen.
We began testing these mitigations as they have been released over the last few weeks in order to streamline the deployment process and resolve any issues that arose.
After successful testing, we have patched all of Memset internal (non-customer facing) infrastructure. We are confident that the processes we have in place will enable a smooth deployment to customer virtual machine host servers.
The mitigations that we will deploy will update the virtual machine host server CPU microcode and Linux kernel. We will supply an up-to-date, patched kernel for the old generation Cloud VPSs as they use a Memset supplied kernel.
Memset clients using the next-generation Cloud VPS servers are running their own kernel. This must be updated using the local package manager e.g. apt or yum, by running a normal system update.
Will This Affect The Performance of My Cloud VPS?
Unfortunately, the speculative execution mechanism being targeted by L1TF improves the performance of the CPU. This means that the mitigations being deployed which disable or modify speculative execution result in slower CPU performance.
In our benchmarks and testing, we have observed a noticeable but small performance degradation, however, the exact figure is highly dependent on the type of workload being run. This makes it almost impossible to predict how any particular VPS will be affected after the patches are deployed but you should expect to lower performance from your virtual server. That being said, we expect that customers will see little to no impact in real-world usage.
Finally, it should be noted that these patches must be applied by any hosting organization that uses Intel CPUs in their servers. As almost every hosting provider from the smallest to the largest deploys Intel Xeon CPUs these patches will be applied by everyone in the coming weeks.