Intel MDS vulnerabillity and Hyperthreading

  • So what is the consensus regarding having hyperthreading on or off in pfsense ?

    Yes I have read the announcement and yes is running 2.4.4 p3, but the general BSD fixes this is based on still recommend to turn off hyperthreading even with these fixes applied.

    Is that only recommended for environments with bhyve virtual machines ? Is it still ok to run pfsense with hyperthreading on ?

    For an i3-6100 just purchased 1 month ago that is utilized a lot, turning off hyperthreading is a massive loss.

    Seems nobody wants to give a straight answer to this so I am trying here.

    Motherboard BIOS update will land in a year if ever.

    Thank You

  • From what I have read, the problem is mainly with multi-tenant systems such as hypervisors. If you're just running a firewall then you should be fine.

  • Netgate Administrator

    Yes it's a much, much greater threat for shared user systems like that. For a firewall it's only an immediate threat if you have a lot of users on the firewall with different access levels. Not a common scenario. There is still an threat though even if you only have admin users. Some other currently unknown exploit that allows only low level access could use this type of vulnerability to get root access for example. As long as you keep up to date that risk is not huge IMO.

    Have you actually tried disabling hyper-threading? What loss did you see?

    You get less apparent cores in the OS but those cores perform better as they are not switching in the background.


  • So HT has to be disabled at the BIOS level then, if one chooses to do so?

  • Netgate Administrator

    Hmm, that's certainly where I would do it. I've never considered it might be possible after boot. As far as I know it is not.


  • Rebel Alliance Developer Netgate

    You could set a sysctl tunable for machdep.hyperthreading_allowed=0 if you didn't want to disable HT in the BIOS.

Log in to reply