[Admin] OpenBSD disables Intel's hyperthreading due to security concern [openbsd]


Via: https://www.mail-archive.com/source-changes@openbsd.org/msg99141.html


Module name: src

Changes by: kette...@cvs.openbsd.org 2018/06/19 13:29:52

Modified files:

         sys/arch/amd64/amd64: cpu.c
         sys/arch/amd64/include: cpu.h
         sys/kern : kern_sched.c kern_sysctl.c
         sys/sys : sched.h sysctl.h
Log message:

SMT (Simultanious Multi Threading) implementations typically share

TLBs and L1 caches between threads. This can make cache timing

attacks a lot easier and we strongly suspect that this will make

several spectre-class bugs exploitable. Especially on Intel's SMT

implementation which is better known as Hypter-threading. We really

should not run different security domains on different processor

threads of the same core. Unfortunately changing our scheduler to

take this into account is far from trivial. Since many modern

machines no longer provide the ability to disable Hyper-threading in

the BIOS setup, provide a way to disable the use of additional

processor threads in our scheduler. And since we suspect there are

serious risks, we disable them by default. This can be controlled

through a new hw.smt sysctl. For now this only works on Intel CPUs

when running OpenBSD/amd64. But we're planning to extend this feature

to CPUs from other vendors and other hardware architectures.

Note that SMT doesn't necessarily have a posive effect on performance;

it highly depends on the workload. In all likelyhood it will actually

slow down most workloads if you have a CPU with more than two cores.

ok deraadt@