Disabling Hyper-threading

Overview

If your computer contains an Intel(R) processor implementing out-of-order execution (which is effectively every processor Intel manufactured since 1995, with the exception of Intel(R) Itanium and Intel(R) Atom before 2013), chances are, your system can be exploited using Microarchitectural Data Sampling (MDS).

Mitigating vulnerabilities like Foreshadow/L1TF, Fallout, and RIDL, disabling SMT [1] (commonly known as hyper-threading [2]) on Intel CPUs can be a good security measure to take into consideration.

Having said that, there will be a reduction in your system’s performance in exchange for the added security. It is highly advisable that the following mitigation is only reviewed/applied for the SMT specific concerns.

What is the problem with SMT and MDS?

Intel’s proprietary Simultaneous Multithreading (SMT) allows multiple execution threads to be executed on a single physical CPU core.

When buffers are shared between hyper-threads then, SMT might lead to possible system exploitation.

Citing from a document published on kernel.org:

“When performing store, load, L1 refill operations, processors write data into temporary microarchitectural structures (buffers). The data in the buffer can be forwarded to load operations as an optimization.

Under certain conditions, usually a fault/assist caused by a load operation, data unrelated to the load memory address can be speculatively forwarded from the buffers. Because the load operation causes a fault or assist and its result will be discarded, the forwarded data will not cause incorrect program execution or state changes. But a malicious operation may be able to forward this speculative data to a disclosure gadget which allows in turn to infer the value via a cache side channel attack.

Because the buffers are potentially shared between Hyper-Threads cross Hyper-Thread attacks are possible.”

Mitigation mechanism

Event though, the Linux kernel detects the affected CPUs and the presence of the required microcode, in which case the kernel enables some mitigation mechanisms by default [3], completely disabling hyper-threading is the compete solution as regarded by the OpenBSD project in 2018 [4]

To check if your system is affected, run:

$ grep . -r /sys/devices/system/cpu/vulnerabilities/

If the output contains SMT vulnerable then you may proceed by using the following kernel parameters:

l1tf=full,force mds=full,nosmt mitigations=auto,nosmt nosmt=force

To do this edit your /etc/default/grub file and append the given kernel options between the quotes in the GRUB_CMDLINE_LINUX_DEFAULT line.

The resulting GRUB_CMDLINE_LINUX_DEFAULT line should look something like this:

GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 l1tf=full,force mds=full,nosmt mitigations=auto,nosmt nosmt=force"

And then automatically re-generate the grub.cfg file with:

# grub-mkconfig -o /boot/grub/grub.cfg

Changes will take effect upon reboot. After rebooting your system, running the grep command stated above should now contain SMT disabled.