Security Announcement: Disabling SMT by default on affected Intel processors

by Michael Tremer, May 22, 2019

Do you like what you are reading? Subscribe to our newsletter and don't miss out on the latest...   Join Now

This is an important announcement with an upcoming change in the next Core Update of IPFire.

Because of the recent vulnerabilities in Intel processors, the IPFire team has decided, that - to keep systems as secure as possible - Simultaneous Multi-Processing (SMT) is automatically disabled if the processor is vulnerable to one of the attacks.

SMT is also called Intel(R) Hyper-Threading Technology and simulates more virtual cores than the system has. This allows to perform faster processing when applications benefit from it. Unfortunately with networking, we benefit from that. Therefore the effect of disabling SMT will be a very signifiant performance impact of around 30% or more. Applications that will be affected in IPFire are the firewall throughput itself as well as other CPU and memory-bound tasks like the web proxy and the Intrusion Prevention System. On systems that are not vulnerable for this attack, SMT is being left enabled. If you still want to disable it, please do so in the BIOS of your firewall.

We think that this step is inevitable to keep all IPFire systems secure. The mitigations that have been provided by the Linux kernel developers and the microcode updates that have been provided by Intel are not enough to close this vulnerability. Indeed the underlying hardware is broken and cannot be fixed.

Disabling SMT does not fix systems against this vulnerability either. According to the people who have discovered it, it "reduces the impact of MDS-based attacks without the cost of more complex mitigations". In short, keeping SMT switched on would require to perform so many checks that code would run slower than without having SMT enabled at all. A good technical insight of how the attack works can be found here.

This is a very unfortunate development and we do not look forward to roll out this code to all users. In recent months, there have been no steps to fix the underlying issues in the affected processors. Hardware that is currently available for purchase still has these issues and is not fit for purpose to be used in a firewall. Therefore we have to use all options available to use to mitigate any issues in software which always will come with these performance issues. If at any point in the future, a better mitigation is available, we will of course revert this precautionary step.

Ultimately security is more important than throughput and we pledge that we will keep doing uncomfortable things like this in the future. Some other vendors are recommending to disable SMT on affected processors, but we are making this the default since the firewall is especially exposed on the network and of course a good target for any intruder. The ZombieLoad vulnerability (CVE-2018-12130) could expose cryptographic keys and other sensitive material at risk, which brings anyone who obtains those into the position to cause large damage to any network.