Representatives from the OpenBSD project announced today on their mailing list that they’ll soon be disabling support for hyper-threading (HT) technology on machines that use Intel-based CPU architectures. With many people concerned about so-called Spectre-class bugs, these developers felt the most prudent course of action was to turn the technology off by default.
This technology serves as a proprietary implementation of Simultaneous Multithreading (SMT) techniques. Computer chips that use HT modules run parallel operations on separate cores of a single multi-core CPU. Intel’s engineers have long claimed that this increases performance over using a more traditional method of performing calculations.
Benchmarks have sometimes proven that HT-enabled chips can outperform traditional multi-core CPUs by several orders of magnitude. This might explain why the feature has been included with almost all Intel chips manufactured in the last 16 years.
Mark Kettenis spoke on behalf of the OpenBSD project, saying that the dev team was removing support for Intel’s HT technology because it leaves the door open for timing-based vulnerabilities. Cryptographic attacks that permit outside observers to record and analyze the time taken to execute specific algorithms could allow attackers to read encrypted data.
Since many machines no longer permit administrators to disable HT support in the UEFI or BIOS configuration screens, OpenBSD is doing so at the operating system level. Critics have stated that this will significantly slow down throughput on servers as well as OpenBSD workstations deployed to end-users. This kind of performance is particularly important on OpenBSD machines working as web servers.
Kettenis, however, stated that switching the technology off won’t cause systems to slow down. He even went so far as to say disabling it could prevent performance problems on CPUs that have more than two cores.
The new setting, hw.smt sysctl, is configurable by those with root access. Those who need to leverage HT technology on Intel chips and understand the security risks can manually re-enable it. In spite of the attention paid to Intel’s native support, this setting is architecture agnostic and will disable any onboard SMT features in chips assembled by other vendors like AMD as well. Kettenis’ stated that it only works on Intel CPUs running OpenBSD/amd64 at the moment, however.
OpenBSD already has a reputation for being an extremely secure OS, so these changes shouldn’t come as a surprise to those in the server industry.