Intel MDS vulnerabillity and Hyperthreading
So what is the consensus regarding having hyperthreading on or off in pfsense ?
Yes I have read the announcement and yes is running 2.4.4 p3, but the general BSD fixes this is based on still recommend to turn off hyperthreading even with these fixes applied.
Is that only recommended for environments with bhyve virtual machines ? Is it still ok to run pfsense with hyperthreading on ?
For an i3-6100 just purchased 1 month ago that is utilized a lot, turning off hyperthreading is a massive loss.
Seems nobody wants to give a straight answer to this so I am trying here.
Motherboard BIOS update will land in a year if ever.
KOM last edited by
From what I have read, the problem is mainly with multi-tenant systems such as hypervisors. If you're just running a firewall then you should be fine.
Yes it's a much, much greater threat for shared user systems like that. For a firewall it's only an immediate threat if you have a lot of users on the firewall with different access levels. Not a common scenario. There is still an threat though even if you only have admin users. Some other currently unknown exploit that allows only low level access could use this type of vulnerability to get root access for example. As long as you keep up to date that risk is not huge IMO.
Have you actually tried disabling hyper-threading? What loss did you see?
You get less apparent cores in the OS but those cores perform better as they are not switching in the background.
So HT has to be disabled at the BIOS level then, if one chooses to do so?
Hmm, that's certainly where I would do it. I've never considered it might be possible after boot. As far as I know it is not.
You could set a sysctl tunable for
machdep.hyperthreading_allowed=0if you didn't want to disable HT in the BIOS.