Turn off HT / SMT threading

Talk here about security in general. Posting illegals software is prohibited. All stuffs in this forum must be considered as for "Educational purpose only".
Post Reply
nanZor
Samurai
Samurai
Posts: 152
Joined: 09 Apr 2019, 03:27
Distribution: Porteus 5.0 RC1 XFCE
Location: Los Angeles

Turn off HT / SMT threading

Post#1 by nanZor » 21 May 2019, 06:32

I wanted to be able to use a cheatcode with Porteus to be able to turn off HT/SMT hyperthreading in light of the recent MDS Intel cpu issues.

Thing is, the old "noht" cheatcode only works up to about kernel 2.6 or so. Most of us are well beyond that where that doesn't work.

The best I could research to come up with a quick Porteus solution (or other system that allows for easy cheatcode use) is to determine if you are running hyperthreading in the first place, and then disabling the virtual cpu's. Here's how:

Look for any *duplicate* core id's in

Code: Select all

cat /proc/cpuinfo
If you see duplicate core id's, then one of them is physical and one is virtual indicating hyperthreading. (Ie, two cpu's with each of them having an id of zero, two more with id's sharing 1 etc)

If you boot into the system, and see this in cpuinfo, you can force the system to just use *physical* cpu's with the maxcpus=X cheatcode with a reboot. Handy for walking up to machines and using with Porteus if HT enabling is a concern for you.

Ie, if I had a dual-core system, that shows up having 4 cores id's, (0 and 0, 1 and 1), I'd use the cheatcode

Code: Select all

maxcpus=2
Obviously this will depend on what you find in the cpuinfo file. Don't forget the "s" at the end of maxcpu. :)

Note that I am NOT a security expert, but this seemed to be the quickest method I could research for getting it done with a simple cheatcode. It is also an interesting way to see if hyperthreading is actually helping or possibly hurting your setup, even if the security aspects aren't the major priority. Run htop, top, or some other util to witness the fun.

Details about this are all over, but I found it interesting that Google Chromebooks have it turned off by default at this point, along with OpenBSD since 6.4 I believe.
That's a UNIX book - cool. -Garth

User avatar
fanthom
Site Admin
Site Admin
Posts: 5089
Joined: 28 Dec 2010, 02:42
Distribution: Porteus Kiosk
Location: Poland, currently - Cork, IE
Contact:

Turn off HT / SMT threading

Post#2 by fanthom » 21 May 2019, 08:00

Hi nanZor,

I think 'nosmp' cheatcode should be enough to disable hyperthreading.

Thanks
Please add [Solved] to your thread title if the solution was found.

nanZor
Samurai
Samurai
Posts: 152
Joined: 09 Apr 2019, 03:27
Distribution: Porteus 5.0 RC1 XFCE
Location: Los Angeles

Turn off HT / SMT threading

Post#3 by nanZor » 21 May 2019, 11:57

Thanks fanthom! I'll have to try that on some Intel hardware I loaned out back at work....

BUT, when using nosmp cheatcode on my AMD box at home as a test, it reduced it from 4 cores to just 1 core! That's a little too aggressive. :) Using maxcpus=0 also resorted to only 1 core! I need to test this on my Intel stuff.

I'll dig into my hardware some more and see what's up (I don't think this AMD box was doing HT anyway). Either that or htop was lying to me....

Nope - just regular top and toggling the "1" key to show cpus, only shows one now. I'll get back on this and report back...
That's a UNIX book - cool. -Garth

nanZor
Samurai
Samurai
Posts: 152
Joined: 09 Apr 2019, 03:27
Distribution: Porteus 5.0 RC1 XFCE
Location: Los Angeles

Turn off HT / SMT threading

Post#4 by nanZor » 21 May 2019, 21:32

AHA! Don't panic people, or it could hurt you. :)

If one panics and blindly issues the nosmp cheatcode, when your chipset isn't capable of hyperthreading in the first place, you could knock yourself back to just one core.

Got my Intel NUC running a Celeron J3455 and the specs show it can't do HT in the first place.
https://ark.intel.com/content/www/us/en ... 3-ghz.html

So ... I guess making sure you are running with HT capable chipset. Looking at /proc/cpuinfo for parent/sibling cpu's with the same core id is one way of doing that. THEN maybe the nosmp cheatcode would work just fine. (without having to do the math of cutting your maxcpus=N/2 in half as an alternate)

But if you panic and apply nosmp cheatcode to a chip not capable of HT in the first place, you'll just chop off what the box is capable of, without any security benefit.

Ok, maybe I'll take my NUC back home as a backup.
That's a UNIX book - cool. -Garth

Post Reply