Title: Disable SMT/Hyperthreading in all Intel BIOSes
Posted by Theo de Raadt-2 on Aug 23, 2018; 11:35am
Two recently disclosed hardware bugs affected Intel cpus:
- TLBleed
- T1TF (the name "Foreshadow" refers to 1 of 3 aspects of this bug, more aspects are surely on the way)
Solving these bugs requires new cpu microcode, a coding workaround, AND the disabling of SMT / Hyperthreading.
SMT is fundamentally broken because it shares resources between the two cpu instances and those shared resources lack security differentiators. Some of these side channel attacks aren't trivial, but we can expect most of them to eventually work and leak kernel or cross-VM memory in common usage circumstances, even such as javascript directly in a browser.
There will be more hardware bugs and artifacts disclosed. Due to the way SMT interacts with speculative execution on Intel cpus, I expect SMT to exacerbate most of the future problems.
A few months back, I urged people to disable hyperthreading on all Intel cpus. I need to repeat that:
DISABLE HYPERTHREADING ON ALL YOUR INTEL MACHINES IN THE BIOS.
Also, update your BIOS firmware, if you can.
OpenBSD -current (and therefore 6.4) will not use hyperthreading if it is enabled, and will update the cpu microcode if possible.
But what about 6.2 and 6.3?
The situation is very complex, continually evolving, and is taking too much manpower away from other tasks. Furthermore, Intel isn't telling us what is coming next, and are doing a terrible job by not publically
documenting what operating systems must do to resolve the problems. We are having to do research by reading other operating systems. There is no time left to backport the changes -- we will not be issuing a complete set of errata and syspatches against 6.2 and 6.3 because it is turning into a distraction.
Rather than working on every required patch for 6.2/6.3, we will re-focus manpower and make sure 6.4 contains the best solutions possible.
So please try take responsibility for your own machines: Disable SMT in the BIOS menu, and upgrade your BIOS if you can.
I'm going to spend my money at a more trustworthy vendor in the future.
URL: http://openbsd-archive.7691.n7.nabble.com/Disable-SMT-Hypert...
Here it is: ]
---
Title: Disable SMT/Hyperthreading in all Intel BIOSes
Posted by Theo de Raadt-2 on Aug 23, 2018; 11:35am
Two recently disclosed hardware bugs affected Intel cpus:
- TLBleed
- T1TF (the name "Foreshadow" refers to 1 of 3 aspects of this bug, more aspects are surely on the way)
Solving these bugs requires new cpu microcode, a coding workaround, AND the disabling of SMT / Hyperthreading.
SMT is fundamentally broken because it shares resources between the two cpu instances and those shared resources lack security differentiators. Some of these side channel attacks aren't trivial, but we can expect most of them to eventually work and leak kernel or cross-VM memory in common usage circumstances, even such as javascript directly in a browser.
There will be more hardware bugs and artifacts disclosed. Due to the way SMT interacts with speculative execution on Intel cpus, I expect SMT to exacerbate most of the future problems.
A few months back, I urged people to disable hyperthreading on all Intel cpus. I need to repeat that:
DISABLE HYPERTHREADING ON ALL YOUR INTEL MACHINES IN THE BIOS.
Also, update your BIOS firmware, if you can.
OpenBSD -current (and therefore 6.4) will not use hyperthreading if it is enabled, and will update the cpu microcode if possible.
But what about 6.2 and 6.3?
The situation is very complex, continually evolving, and is taking too much manpower away from other tasks. Furthermore, Intel isn't telling us what is coming next, and are doing a terrible job by not publically documenting what operating systems must do to resolve the problems. We are having to do research by reading other operating systems. There is no time left to backport the changes -- we will not be issuing a complete set of errata and syspatches against 6.2 and 6.3 because it is turning into a distraction.
Rather than working on every required patch for 6.2/6.3, we will re-focus manpower and make sure 6.4 contains the best solutions possible.
So please try take responsibility for your own machines: Disable SMT in the BIOS menu, and upgrade your BIOS if you can.
I'm going to spend my money at a more trustworthy vendor in the future.