[CentOS] L1TF in CentOS

Tue Oct 2 14:36:47 UTC 2018
Patrick Rael <prael at lumeta.com>

Hi,
       I've applied the latest kernel upticks of kernel and 
microcode_ctl for L1TF.
Just rpm updates and rebooted, no further changes.

kernel-2.6.32-754.3.5.el6.x86_64.rpm
kernel-firmware-2.6.32-754.3.5.el6.noarch.rpm
kernel-headers-2.6.32-754.3.5.el6.x86_64.rpm
perf-2.6.32-754.3.5.el6.x86_64.rpm
microcode_ctl-1.17-33.3.el6_10.x86_64.rpm

L1TF has several mitigations.  So far I can see that only this one is 
applied.

# cat /sys/devices/system/cpu/vulnerabilities/l1tf
Mitigation: PTE Inversion

Is this the definitive check?  I'm trying to confirm the L1Data Cache 
flush isn't
enabled.    It's ok if only this PTE Inversion is applied for me, I just 
need
to be sure, because when I read this url from Redhat, it says 2 of the 3
mitigations are enabled by default, but I see only 1:

https://access.redhat.com/security/vulnerabilities/L1TF
"/All mitigations are enabled by default with the exception of disabling
Hyper-Threading, which customers must take explicit manual steps to turn 
off./"

Also, I haven't been able to find clarity on what mitigations need to be 
applied
to VMs, which ones to VM servers, which to kvm instances and kvm servers,
and if containers and container servers need any special treatment.

Thanks!
-->Pat