During tests with QubesOS a problem was found which seemed to be related to kfence_protect_page() writing a L1TF vulnerable page table entry [1].
Looking into the function I'm seeing:
set_pte(pte, __pte(pte_val(*pte) & ~_PAGE_PRESENT));
I don't think this can be correct, as keeping the PFN unmodified and
just removing the _PAGE_PRESENT bit is wrong regarding L1TF.
There should be at least the highest PFN bit set in order to be L1TF
safe.
Juergen
[1]: https://github.com/QubesOS/qubes-issues/issues/7935
OpenPGP_0xB0DE9DD628BF132F.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
