Hello guys,
It is quite late and I am pretty tired because Intel allowed me to spend another evening investigating what they did wrong. So here is just the short version of this:
I had a call with Peter and Arne today and we discussed what we can do to actually fix the latest Intel vulnerabilities. There is only one option which is to disable SMT - or rather known as Intel Hyper-Threading by default.
This will decrease performance by at least 40%. I think with our workload it might be worse.
There is a new CGI which allows you to see how your hardware is affected and it allows you to force HT on if you really really want it and do not care about people breaking into your firewall.
The code has just been pushed into next. Because I want to get this update out as soon as possible, please help me testing it and maybe if you have the time to do some benchmarks, that would be good to know how much performance we are actually losing.
If you have questions, please don’t hesitate to ask.
I am going to bed now :)
-Michael
So far I'm not seeing a major impact on my system x86_64 Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz. Running ClamAV and IPS, typical load is still under 5% even when running internet speed tests, most of the time its less than 1%. Only time I see load is when applying IPS rules, 40-60% peak.
Regards Wayne
-----Original Message----- From: Development [mailto:development-bounces@lists.ipfire.org] On Behalf Of Michael Tremer Sent: Monday, May 20, 2019 4:57 PM To: IPFire: Development-List Subject: Disabling SMT by default on affected Intel processors
Hello guys,
It is quite late and I am pretty tired because Intel allowed me to spend another evening investigating what they did wrong. So here is just the short version of this:
I had a call with Peter and Arne today and we discussed what we can do to actually fix the latest Intel vulnerabilities. There is only one option which is to disable SMT - or rather known as Intel Hyper-Threading by default.
This will decrease performance by at least 40%. I think with our workload it might be worse.
There is a new CGI which allows you to see how your hardware is affected and it allows you to force HT on if you really really want it and do not care about people breaking into your firewall.
The code has just been pushed into next. Because I want to get this update out as soon as possible, please help me testing it and maybe if you have the time to do some benchmarks, that would be good to know how much performance we are actually losing.
If you have questions, please don’t hesitate to ask.
I am going to bed now :)
-Michael=
-
Mentalic -
Michael Tremer