Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenBSD Disables Intel CPU Hyper-Threading Due To Security Concerns (bleepingcomputer.com)

Posted by BeauHD on from the safety-first dept.

The OpenBSD project announced today plans to disable support for Intel CPU hyper-threading due to security concerns regarding the theoretical threat of more "Spectre-class bugs." Bleeping Computer reports: Hyper-threading (HT) is Intel's proprietary implementation of Simultaneous Multithreading (SMT), a technology that allows processors to run parallel operations on different cores of the same multi-core CPU. The feature has been added to all Intel CPUs released since 2002 and has come enabled by default, with Intel citing its performance boost as the main reason for its inclusion.

But today, Mark Kettenis of the OpenBSD project, said the OpenBSD team was removing support for Intel HT because, by design, this technology just opens the door for more timing attacks. Timing attacks are a class of cryptographic attacks through which a third-party observer can deduce the content of encrypted data by recording and analyzing the time taken to execute cryptographic algorithms. The OpenBSD team is now stepping in to provide a new setting to disable HT support because "many modern machines no longer provide the ability to disable hyper-threading in the BIOS setup."

11 of 234 comments (clear)

  1. More cores less price by Anonymous Coward · · Score: 2, Informative

    Its 2018, entry level phones and $50 TV boxes come with 8x 64 bit cores. Not 2 cores split into 4 threads, or 4 cores split into 8.

    5 years ago, mainstream laptop was Core i3, 3217U with a cpu benchmark of 2300.
    5 years later and the mainstream is Core i3-7100T with a cpu benchmark of 5080

    5 years to only double performance, and then the increase comes from upping the clock speed (1.8Ghz vs 3.4 Ghz).

    Meanwhile ARM sells tens of billions of processors, and Intel sells 15% of that number and dropping. Intel tries to protect its profit on ever lower and lower numbers of sales.

    I'm reminded of IBM and its slow processors that cost $millions each, sold to customers who are the final lockins to their mainframes. That is Intel's future unless it starts to take competition seriously.

  2. About hyperthreading by Erik+Hensema · · Score: 5, Informative

    "a technology that allows processors to run parallel operations on different cores of the same multi-core CPU"

    Not it's not. It's a technology that allows processors to present a single physical core as two logical cores. Two threads of software can run simultaneously on a single physical core.

    It's mostly an optimization of the execution pipeline. When execution in one thread stalls, it can pick up processing in the other thread. It typically boosts performance by about 10-20%. And yes, I can see this could cause problems regarding timing if you can cause a pipeline stall based on a condition you want to test in the other thread on the same core. It'll be hard though. Maybe too hard to justify disabling HT altogether. Providing a switch to turn it off in case an exploit is discovered would be more wise I think.

    --

    This is your sig. There are thousands more, but this one is yours.

    1. Re:About hyperthreading by spth · · Score: 5, Informative

      As can be read in the post (referenced in the summary) on the OpenBSD mailing list, this new option was motivated by BIOSes no longer offering the option to disable hyperthreading.

  3. Re: Opt-In? by Anonymous Coward · · Score: 3, Informative

    They have the best documentation in the NIX world, and arguably the most consistent userland.

    I'm not even a regular user, as OpenBSD doesn't fit my use case, but you're waaaaay off base in claiming they don't put usability as a priority.

    After all, having consistent and clear usability is one of if not the single most important aspect of software security.

  4. Re:Opt-In? by K.+S.+Kyosuke · · Score: 5, Informative

    For AMD's SMT implementation, it's around 30% in heavy workloads. Hell, a Cinebench test by a Czech web site reported a 40% speed boost in Cinebench R15 for an 1800X. On Reddit, a 45% difference was reported for a 1600X.

    --
    Ezekiel 23:20
  5. Re: Opt-In? by phantomfive · · Score: 5, Informative

    It's an option, you can change the setting with a syscall. That's not clear from the summary, you have to click through to the actual announcement.

    --
    "First they came for the slanderers and i said nothing."
  6. Dunno by Artem+S.+Tashkinov · · Score: 5, Informative

    Note that SMT doesn't necessarily have a posive effect on performance; it highly depends on the workload. In all likelyhood it will actually slow down

    First of all, it surely looks like OpenBSD developers don't even have a working spellchecker and perhaps they are correct, saying that it doesn't necessarily have a "posive" effect.

    However, in all seriousness, I've seen at least two dozens tests of HT and in the worst case scenario it slows down your performance by less than a few percents, however, when we're talking servers, which nowadays run highly parallelized workloads where a single process may span several cores (nginx, mariadb, redis, mongodb, etc. etc. etc.) the performance gain from using HT may reach up to 30%, i.e. you're getting a third of your cores for free, which allows you to greatly cut expenditures and save on cooling.

    Yes, HT poses security challenges in a multiuser environment (say, for a hosting provider) where people might run any code they want, however a typical application server almost always runs a tightly controlled software stack, which means your server processes cannot run any foreign code, which means Meltdown/Spectre class attacks might be safely disregarded.

  7. Re:Opt-In? by BusterB · · Score: 5, Informative

    It's true. OpenBSD does not benefit from hyper-threading, at least on all Intel platforms I have tried. Having it off happens to be a small net-win for performance as well (a few percent on compile tests). This isn't just true for OpenBSD or for every workload either. Your mileage obviously may vary and should be tested.

  8. Re: A SpectreNG-variant that uses Hyperthreading? by Anonymous Coward · · Score: 5, Informative

    iPhone users:

    Settings > General > Keyboard ... set "Smart Punctuation" to Off.

    You're killing us with this shit, it's unreadable.

  9. Re: Opt-In? by Anonymous Coward · · Score: 2, Informative

    You should read about OpenBSD's purposes and intentions. They've always been about security, security, security, and anyone going into it should know that.

    I mean, just from the Wikipedia article:

    " As of February 2018, only two remote vulnerabilities have ever been found in the default install, in a period of almost 22 years - a fact prominently displayed on the OpenBSD website."

    "Many of its security features are optional or absent in other operating systems."

    "Its developers frequently audit the source tree for software bugs and security holes. According to OpenBSD expert Michael W. Lucas, OpenBSD "is widely regarded as the most secure operating system available anywhere, under any licensing terms.""

    So, yeah, it makes sense.

  10. Re:Opt-In? by gman003 · · Score: 3, Informative

    There are still programmers who optimize at that level - and then go one further, by pipelining in such a way that the core can execute both threads at as close to full speed as possible. Usually this ends when you're processing data as fast as the L1 cache can prefetch it - with SIMD instructions, you can hit 32 bytes/clock/thread (two 16-byte operations in one clock), while the L1 cache on the current-gen processors can read 64 bytes/clock/core.

    This isn't done on every program, or even most programs, and nobody's optimizing their entire codebase to this level, but for stuff like compressors/decompressors, or codecs, yeah, there's still programmers who will optimize all the way down to the metal.