Intel Hyperthreading question

shimmy_jimmy · August 31, 2024, 11:11am

QubesOS disables hyperthreading by default mostly because of this. CPUs that are affected are 6th generation Intel® Core™ processors, 7th generation Intel® Core™ processors, 8th generation Intel® Core™ processors, Intel® Xeon® Processor E3 v5 Family, Intel® Xeon® Processor E3 v6 Family. Only Intel processors are affected according to QSB. From my research, in CVEs: here, here and here there are lists of affected CPUs.
If I cannot find my specific Intel CPU on that lists, is my CPU affected and can I safely enable Intel Hyperthreading? There are some 7th, 8th, 6th gen CPUs that I couldn’t find on that lists, too. Also I saw a thread of someone asking about enabling that feature on 12th gen Intel CPU but it seems that CPUs above 8th gen aren’t affected.

apparatus · August 31, 2024, 11:48am

Quote from QSB-43:

However, we believe there is a risk
that similar issues will be discovered in the future, and that having
hyper-threading disabled may mitigate those issues, as it does this one.
Therefore, we recommend that most users leave hyper-threading disabled
regardless of whether they use HVM qubes.

For example:

The following XSAs do not affect the security of Qubes OS, and no user action is necessary:

XSA-426 (SMT is disabled in Qubes OS by default)

Also:

In case anyone is wondering what would be needed to enable smt=on again, the answer is a secrets-free hypervisor. Patches for Xen would be appreciated.

github.com/QubesOS/qubes-issues

Kernel update sets smt=off when smt=on is set

opened 07:10PM - 29 Nov 23 UTC

closed 09:39PM - 29 Nov 23 UTC

renehoj

T: bug R: not applicable P: default

### Brief summary Kernel updates forcefully disable smt, even if you have set t…he smt=on option. This becomes a problem with features like cpupools, if you are expecting all cores to be usable. Cpupools with credit(1) scheduler seems to crash xen, if the pools are using all the cores and smt gets disabled. ### Steps to reproduce Set smt=on in /etc/default/grub Update the kernel with the Qubes OS update tool. ### Expected behavior The system remains configured with smt=on ### Actual behavior The last line in /etc/default/grub set smt=off, and the system is no longer configured with smt=on

shimmy_jimmy · August 31, 2024, 12:50pm

Thank you for responding, but it doesn’t answer my question. You just posted a few links that are related to the topic to some lower degree. Like “I’ll leave it here, and you draw your conclusions”. I asked if I can safely enable Intel Hyperthreading since I do not see my CPU on lists in linked CVEs. Also I am not asking how to enable this feature.

renehoj · August 31, 2024, 2:50pm

You can’t enable HT without risk, you have to decide for yourself if the extra CPU performance is worth it, but keep in mind it is not 100% extra it’s more like 15-20%

Unless you are a casual Qubes OS user, or you fully understand the risk, you shouldn’t enable HT.

apparatus · September 1, 2024, 5:54am

There were vulnerabilities in Intel 12th gen CPUs related to the hyper-threading e.g.:

You can see the list of all reported issues here:
https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html

So it may be safe to enable the SMT today but you may be vulnerable tomorrow.