|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] "Booted on L1TF-vulnerable hardware with SMT/Hyperthreading enabled" .. or not?
On 08/31/2018 02:12 AM, Hans van Kranenburg wrote: > On 08/31/2018 02:09 AM, Hans van Kranenburg wrote: >> I have some HP ProLiant DL360 G7 (P68) servers here, and I just put this >> BIOS update on them: >> >> https://support.hpe.com/hpsc/swd/public/detail?swItemId=MTX_23267b7aabb6489a8332d06919#tab3 >> >> Version: 2018.05.21(2 Jul 2018) >> >> The release notes contain a whole story about "This revision of the >> System ROM includes the latest revision of the Intel microcode which, in >> combination with operating system and hypervisor updates, provides >> mitigation for the L1 Terminal Fault – OS/SMM (CVE-2018-3620) and L1 >> Terminal Fault – VMM (CVE-2018-3646) security vulnerabilities." >> >> In the BIOS cpu settings, hyperthreading is disabled. This server >> contains 2x 6-core Intel(R) Xeon(R) CPU X5675 @ 3.07GHz >> >> From xen info: (4.11, built from stable-4.11 commit 733450b39b) >> >> -# xen info >> host : rho >> release : 4.17.0-0.bpo.3-amd64 >> version : #1 SMP Debian 4.17.17-1~bpo9+1 (2018-08-27) >> machine : x86_64 >> nr_cpus : 12 >> max_cpu_id : 31 >> nr_nodes : 2 >> cores_per_socket : 6 >> threads_per_core : 1 From server startup serial console: ---- >8 ---- 108 GB Installed ProLiant System BIOS - P68 (05/21/2018) Copyright 1982, 2018 Hewlett-Packard Development Company, L.P. 2 Processor(s) detected, 12 total cores enabled, Hyperthreading is disabled Proc 1: Intel(R) Xeon(R) CPU X5675 @ 3.07GHz Proc 2: Intel(R) Xeon(R) CPU X5675 @ 3.07GHz QPI Speed: 6.4 GT/s HP Power Profile Mode: Custom Power Regulator Mode: Static High Performance Advanced Memory Protection Mode: Advanced ECC Support Redundant ROM Detected - This system contains a valid backup system ROM. Inlet Ambient Temperature: 20C/68F ---- >8 ---- "Hyperthreading is disabled" >> Still, xl dmesg shows me: >> >> (XEN) *************************************************** >> (XEN) Booted on L1TF-vulnerable hardware with SMT/Hyperthreading >> (XEN) enabled. Please assess your configuration and choose an >> (XEN) explicit 'smt=<bool>' setting. See XSA-273. >> (XEN) *************************************************** >> >> What's wrong here? > > Additionally: So, interestingly, this information (from dom0) lists ht again in flags: > -# cat /proc/cpuinfo > processor : 0 > vendor_id : GenuineIntel > cpu family : 6 > model : 44 > model name : Intel(R) Xeon(R) CPU X5675 @ 3.07GHz > stepping : 2 > microcode : 0x1f > cpu MHz : 3066.788 > cache size : 12288 KB > physical id : 0 > siblings : 4 > core id : 0 > cpu cores : 1 > apicid : 0 > initial apicid : 0 > fpu : yes > fpu_exception : yes > cpuid level : 11 > wp : yes > flags : fpu de tsc msr pae mce cx8 apic sep mca cmov pat clflush acpi > mmx fxsr sse sse2 ss ht syscall nx lm constant_tsc rep_good nopl > nonstop_tsc cpuid pni pclmulqdq monitor est ssse3 cx16 sse4_1 sse4_2 > popcnt aes hypervisor lahf_lm ssbd ibrs ibpb stibp > bugs : null_seg cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass > l1tf > bogomips : 6133.57 > clflush size : 64 > cache_alignment : 64 > address sizes : 40 bits physical, 48 bits virtual > power management: > > (identical for all cpus listed) Another view on the thing, from dmidecode: Handle 0x0400, DMI type 4, 42 bytes Processor Information Socket Designation: Proc 1 Type: Central Processor Family: Xeon Manufacturer: Intel ID: C2 06 02 00 FF FB EB BF Signature: Type 0, Family 6, Model 44, Stepping 2 Flags: FPU (Floating-point unit on-chip) VME (Virtual mode extension) DE (Debugging extension) PSE (Page size extension) TSC (Time stamp counter) MSR (Model specific registers) PAE (Physical address extension) MCE (Machine check exception) CX8 (CMPXCHG8 instruction supported) APIC (On-chip APIC hardware supported) SEP (Fast system call) MTRR (Memory type range registers) PGE (Page global enable) MCA (Machine check architecture) CMOV (Conditional move instruction supported) PAT (Page attribute table) PSE-36 (36-bit page size extension) CLFSH (CLFLUSH instruction supported) DS (Debug store) ACPI (ACPI supported) MMX (MMX technology supported) FXSR (FXSAVE and FXSTOR instructions supported) SSE (Streaming SIMD extensions) SSE2 (Streaming SIMD extensions 2) SS (Self-snoop) HTT (Multi-threading) TM (Thermal monitor supported) PBE (Pending break enabled) Version: Intel(R) Xeon(R) CPU X5675 @ 3.07GHz Voltage: 1.4 V External Clock: 133 MHz Max Speed: 4800 MHz Current Speed: 3067 MHz Status: Populated, Enabled Upgrade: Socket LGA1366 L1 Cache Handle: 0x0710 L2 Cache Handle: 0x0720 L3 Cache Handle: 0x0730 Serial Number: Not Specified Asset Tag: Not Specified Part Number: Not Specified Core Count: 6 Core Enabled: 6 Thread Count: 12 Characteristics: 64-bit capable This also lists hyperthreading and 6 cores with 12 threads per physical cpu... The code which decides about printing the message or not does: if ( opt_smt == -1 && cpu_has_bug_l1tf && !pv_shim && boot_cpu_data.x86_num_siblings > 1 ) warning_add( "Booted on L1TF-vulnerable hardware with SMT/Hyperthreading\n" "enabled. Please assess your configuration and choose an\n" "explicit 'smt=<bool>' setting. See XSA-273.\n"); (from commit 2a47c75509, author in Cc) Apparently in here, boot_cpu_data.x86_num_siblings > 1 still matches when hyperthreading is actually disabled in bios configuration? Is there a better way to detect configuration (enabled/disabled) vs. just the fact that the hardware has the feature and could enable it? Something like the same source as where xl info gets the threads_per_core from, which does show up as 1? Thanks, Hans _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |