{"description": "L1 Terminal Fault (L1TF) is a hardware vulnerability which allows unprivileged\nspeculative access to data which is available in the Level 1 Data Cache when\nthe page table entry isn't present.\n\nSelect the appropriate mitigation by adding the argument\n<tt>l1tf=<sub idref=\"var_l1tf_options\" /></tt> to the default\nGRUB 2 command line for the Linux operating system.\nTo ensure that <tt>l1tf=<sub idref=\"var_l1tf_options\" /></tt> is added as a kernel command line\nargument to newly installed kernels, add <tt>l1tf=<sub idref=\"var_l1tf_options\" /></tt> to the\ndefault Grub2 command line for Linux operating systems. Modify the line within\n<tt>/etc/default/grub</tt> as shown below:\n<pre>GRUB_CMDLINE_LINUX=\"... l1tf=<sub idref=\"var_l1tf_options\" /> ...\"</pre>\nRun the following command to update command line for already installed kernels:<pre># update-grub</pre>\n\nSince Linux Kernel 4.19 you can check the L1TF vulnerability state with the\nfollowing command:\n<tt>cat /sys/devices/system/cpu/vulnerabilities/l1tf</tt>", "rationale": "The L1TF vulnerability allows an attacker to bypass memory access security controls imposed\nby the system or hypervisor. The L1TF vulnerability allows read access to any physical memory\nlocation that is cached in the L1 Data Cache.", "severity": "high", "references": {"anssi": ["R8"]}, "control_references": {"anssi": ["R8"]}, "components": [], "identifiers": {}, "ocil_clause": "l1tf mitigations are not configured appropriately", "ocil": "Inspect the form of default GRUB 2 command line for the Linux operating system\nin <tt>/etc/default/grub</tt>. If it includes <tt>l1tf=<sub idref=\"var_l1tf_options\" /></tt>,\nthen the parameter will be configured for newly installed kernels.\nFirst check if the GRUB recovery is enabled:\n<pre>$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub</pre>\nIf this option is set to true, then check that a line is output by the following command:\n<pre>$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*l1tf=<sub idref=\"var_l1tf_options\" />.*' /etc/default/grub</pre>\nIf the recovery is disabled, check the line with\n<pre>$ sudo grep 'GRUB_CMDLINE_LINUX.*l1tf=<sub idref=\"var_l1tf_options\" />.*' /etc/default/grub</pre>.Moreover, current Grub config file <tt>grub.cfg</tt> must be checked. The file can be found\neither in <tt>/boot/grub</tt> in case of legacy BIOS systems, or in <tt>/boot/grub</tt> in case of UEFI systems.\nIf they include <tt>l1tf=<sub idref=\"var_l1tf_options\" /></tt>, then the parameter\nis configured at boot time.\n<pre>$ sudo grep vmlinuz GRUB_CFG_FILE_PATH | grep -v 'l1tf=<sub idref=\"var_l1tf_options\" />'</pre>\nFill in <tt>GRUB_CFG_FILE_PATH</tt> based on information above.\nThis command should not return any output.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"performance": "Enabling L1TF mitigations may impact performance of the system."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["grub2 and system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["grub2_and_system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Configure L1 Terminal Fault mitigations", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml", "template": {"name": "grub2_bootloader_argument", "vars": {"arg_name": "l1tf", "arg_variable": "var_l1tf_options"}, "backends": {}}}