Ozgur, AFAIK with hyperthreading on side channel attacks and other CPU vulnerabilities are much easier to achieve. also under certain workloads Hyperthreading actually reduces performance, (where you have High packet rate Network I/O for instance)
if you are using OpenBSD Current or Stable smt is off by default you can enable it by finding the sysctl containing "smt" and setting it to 1 but I would benchmark to see if you get a positive performance effect by enabling smt for your particular workload. smt increases security risk considerably (in instances where you are running browsers on your system virtual machines running for third parties on your system (untrusted code running on your machine) then SMT should probably be left off Im sure there have been some discussions about it in the past and you can check the archives, Colin Percival gave a talk about CPU Vulnerabilities at the eurobsdcon it will help paint the picture for you . On Fri, 24 Jan 2020 at 06:36, Özgür Kazancci <oz...@kazancci.com> wrote: > Hi Aaron, > > Considering heavy traffic load&requests through web/sql server on the > system, wouldn't that decrease performance? HT might not be too safe - > OpenBSD is. :) > I do know and am aware of that OpenBSD team suggest turning it of, but.. > Other than that, have you read anything else *specifically* regarding > the security implementation of these CPUs? > > Many thanks. > Best, > Ozgur Kazancci > > > > > On 24/01/2020 03:06, Aaron Mason wrote: > > After reviewing your dmesg and googling the model of your CPU, might I > > suggest/recommend turning off hyperthreading if you can. Bad security > > juju. > > > > > > > > > > On Thu, Jan 23, 2020 at 6:29 PM Andreas Kusalananda Kähäri > > <andreas.kah...@abc.se> wrote: > >> > >> On Wed, Jan 22, 2020 at 11:30:51PM +0300, Özgür Kazancci wrote: > >> > Hello everyone! Greetings to misc people! > >> > > >> > Got a brand new dedicated server with a hardware: Intel Xeon-E 2274G > - 64GB > >> > DDR4 ECC 2666MHz - 2x SSD NVMe 960GB > >> > and installed "brand new" OpenBSD 6.6 on it. (I'm managing it > remotely via > >> > KVM/IPMI) > >> > > >> > After the first boot, dmesg is outputting sequentally between few > seconds > >> > delays: > >> > "wsdisplay0 at inteldrm0 mux 1 > >> > init: can't open /dev/console: Device not configured" and the system > doesn't > >> > boot at all. > >> > >> Is it possible that it does actually boot but that you just don't see > >> the > >> messages. Did you try pinging the machine or accessing it through > >> SSH? > >> > >> > >> > > >> > Please refer to the screenshot attached: https://ibb.co/sQbt7F7 > >> > > >> > And after few hours of forums/IRC-logs readings, I tried to try the > >> > suggestion of lots of similar-people: "disable inteldrm" > >> > > >> > To do that, during the boot I typed "boot -c", then got a brand new > error > >> > (IPMI/KVM freezes, no more keyboard input): > >> > "kbc: cmd word write error" (with a weird cursor) > >> > Please refer to the screenshot attached: https://ibb.co/QchqhtY > >> > > >> > Anyways, wanted to skip that -for now-, rebooted the server again, and > >> > booted into bsd.rd, mounted the / and /usr on the harddisk, chrooted > into > >> > there and did; > >> > "config -ef /bsd", then "disable inteldrm" and "quit" to save the > changes. > >> > Finally rebooted. > >> > > >> > The system booted up fine! Got the login prompt shell, logged in, > well, with > >> > -an another- brand new error :) > >> > > >> > "reorder_kernel: failed - see /usr/...GENERIC.MP/relink.log" > >> > >> This sometimes indicates that the previous boot got to the kernel > >> re-linking stage but that it got interrupted there. I see this on VMs > >> if I forcefully reboot them as soon as the login prompt appears. > >> > >> > >> > > >> > I guess that was because I modified the kernel, anyway, wanted to > skip that > >> > too -for now-. Did what I always do the first: syspatch > >> > > >> > installed the patches, rebooted the system, aand...Tada! "inteldrm0 > is back, > >> > b1tch3z!" :) > >> > > >> > Dmesg has again: "init: can't open /dev/console: Device not > configured" and > >> > delays there. No boot, again. > >> > > >> > My questions are: > >> > > >> > How can I get the rid of the error "init: can't open /dev/console: > Device > >> > not configured" to be able to boot into the system? > >> > > >> > if that was the only way (disabling inteldrm), would I repeat it each > time I > >> > issue syspatch? > >> > > >> > And each time syspatch (re)installs the kernel, should I get the error > >> > "reorder_kernel: failed", because I modified (disabled inteldrm) > kernel? > >> > > >> > Any words on "kbc: cmd word write error" when I tried the 'boot -c'? > >> > > >> > I thank you for your time in reading all these, > >> > And many thanks for your suggestions, in advance! > >> > > >> > Best, > >> > Özgür Kazancci > >> > >> -- > >> Andreas (Kusalananda) Kähäri > >> SciLifeLab, NBIS, ICM > >> Uppsala University, Sweden > >> > >> . > >> > > -- Kindest regards, Tom Smyth.
