This has been tested on a Google Skylake platform.
One potential issue with this test is that it fails (that is, the exploit succeeds) when using the conditional L1D flush, because the gadget is injected into the hypercall path which doesn't appear to include a flush. If this is unacceptable, we should discuss how to amend the test so that it can be used to evaluate the conditional flush logic as well. This would basically mean simulating some more complicated gadget where the "attacker" has found another way to steer the host kernel towards the target data, instead of just a simple hypercall.
The reason this limitation is tolerable to me is my ulterior motive, i.e. because I am specifically interested in an end-to-end test for Address Space Isolation [0], which is abstracted from these details of the exploit.
Based on kvm/next.
[0] https://lore.kernel.org/all/20250924-b4-asi-page-alloc-v1-0-2d861768041f@goo...
Signed-off-by: Brendan Jackman jackmanb@google.com --- Alexandra Sandulescu (1): KVM: x86: selftests: add an L1TF exploit test
Brendan Jackman (1): selftests: fix installing nested TEST_GEN_MODS_DIR
tools/testing/selftests/kvm/Makefile.kvm | 7 + tools/testing/selftests/kvm/x86/l1tf_test.c | 633 +++++++++++++++++++++ tools/testing/selftests/kvm/x86/l1tf_test.sh | 10 + .../selftests/kvm/x86/test_modules/Makefile | 10 + .../kvm/x86/test_modules/l1tf_test_helper.c | 92 +++ tools/testing/selftests/lib.mk | 2 +- 6 files changed, 753 insertions(+), 1 deletion(-) --- base-commit: 6b36119b94d0b2bb8cea9d512017efafd461d6ac change-id: 20251013-l1tf-test-1bee540cefb4
Best regards,