Some of you may be aware of the recently announced Portsmash vulnerability:
https://www.openwall.com/lists/oss-secu ... 18/11/01/4
The problem is caused by the design of the cpu, specifically the so-called hyperthreads (symmetric multi-threading technology, or SMT for short) are not subject to the same sort of security checks that are carried out in the physical cores.
OpenBSD 6.4 has disabled SMT by default because of this (the devs predicted the vulnerability) and the advice for Linux is now to disable SMT via the firmware ("BIOS") settings, if possible.
Unfortunately, my machine has no such option so I have to use systemd unit file instead
To write the unit we first need to determine which cpu(s) to turn off, so run this command:
Code: Select all
empty@buster:~ $ lscpu --extended
CPU NODE SOCKET CORE L1d:L1i:L2:L3 ONLINE MAXMHZ MINMHZ
0 0 0 0 0:0:0:0 yes 2400.0000 1199.0000
1 0 0 0 0:0:0:0 yes 2400.0000 1199.0000
2 0 0 1 1:1:1:0 yes 2400.0000 1199.0000
3 0 0 1 1:1:1:0 yes 2400.0000 1199.0000
empty@buster:~ $
To disable them, use this script (saved to /usr/local/bin/nosmt):
Code: Select all
#!/bin/sh
for n in 1 3
do echo 0 > /sys/devices/system/cpu/cpu${n}/online
done
And a matching onsmt script (to re-enable SMT when the .service is stopped):
Code: Select all
#!/bin/sh
for n in 1 3
do echo 1 > /sys/devices/system/cpu/cpu${n}/online
done
Code: Select all
chmod +x /usr/local/bin/{no,on}smt
Code: Select all
# /etc/systemd/system/nosmt.service
[Unit]
Description=Disable SMT
[Service]
RemainAfterExit=yes
ExecStart=/usr/local/bin/nosmt
ExecStop=/usr/local/bin/onsmt
[Install]
WantedBy=multi-user.target
Code: Select all
systemctl enable --now nosmt
SMT can be enabled again by stopping the .service:
Code: Select all
systemctl stop nosmt
Code: Select all
journalctl -u nosmt