Mitigation modes in ThinkAgile CP
ThinkAgile CP includes an updated Red Hat kernel (3.10.0-862.20.2.el7.x86_64) in the latest release.
ThinkAgile CP provides the following L1TF mitigation modes as recommended by Red Hat:
Full - Addresses all L1TF vulnerabilities by flushing the Level 1 Data Cache and turning off Intel hyperthreading. WARNING: This mode can have a high performance impact.
Partial - Flushes the Level 1 Data Cache on all context switches from the hypervisor to a guest VM. Hyperthreading is enabled. This mode reduces the attack surface but does not fully prevent leaking of information. It prevents any guest OS from attacking the hypervisor, but it does not prevent a guest OS from attacking another running on the same hypervisor. This mode has a medium performance impact.
Disabled - No mitigation is applied. This mode has no performance impact. WARNING: Vulnerability is increased if untrusted workloads are running.
For L1TF mitigation support, you must be running ThinkAgile CP version 4.0.2 or later. When the platform is updated to 4.0.2, the L1TF mitigation mode is set to Full by default.
Considerations for Applying the L1TF Mitigation Modes
This Full mode disables the Intel hyperthreading feature and reduces the effective CPU core count by half. For this mode, you should ensure you have enough cores to adequately run existing workloads.
If you decide to apply the PARTIAL mode, which does not disable hyperthreading, you should protect your environment as much as possible by patching all running VMs to the latest level.
Or, you could leave the mitigation mode at FULL and add more compute nodes to make up for the lost CPU core counts, and then pick and choose your protection mode on a per hypervisor basis.