PrivSec-dev/privsec.dev
1
0
Fork 0
mirror of https://github.com/PrivSec-dev/privsec.dev synced 2025-02-20 18:31:35 -05:00
Code

Comments rgarding the costs of disabling SMT

Browse Source
This commit is contained in:
Raja Grewal 2022-11-16 02:20:06 +11:00
parent 493ed8d53e
commit 5f3a96058f
No known key found for this signature in database
GPG Key ID: 3AE213D7DCCA7CCB
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
content/posts/linux/Desktop-Linux-Hardening.md
View File

@ -265,7 +265,7 @@ In this section we succinctly present the parameters used by Kicksecure as those
spectre_v2=on spec_store_bypass_disable=on l1tf=full,force mds=full,nosmt tsx=off tsx_async_abort=full, mds=full,nosmt kvm.nx_huge_pages=force nosmt=force l1d_flush=on mmio_stale_data=full,nosmt
```
[SMT](https://en.wikipedia.org/wiki/Simultaneous_multithreading) is disabled due to it being the cause of various security vulnerabilities. Also, on rpm-ostree based distributions, you should set the kernel parameters using `rpm-ostree kargs` rather than messing with `GRUB` configurations directly.
[SMT](https://en.wikipedia.org/wiki/Simultaneous_multithreading) is disabled due to it being the cause of various security vulnerabilities. Also, on rpm-ostree based distributions, you should set the kernel parameters using `rpm-ostree kargs` rather than messing with `GRUB` configurations directly. As an aside, one should keep in mind that despite the clear security benefits of disabling SMT, the very popular `linux-hardened` kernel for Arch linux does not disable it by default given the [large potential performance costs](https://github.com/anthraxx/linux-hardened/issues/37#issuecomment-619597365). You should determine your own desired level of risk mitigation and if you choose to keep SMT enabled, simply remove all occurrences of `nosmt` and `nosmt=force` from the above parameters.
- Kernel
```