SMT (Simultanious Multi Threading) implementations typically share

TLBs and L1 caches between threads.  This can make cache timing
attacks a lot easier and we strongly suspect that this will make
several spectre-class bugs exploitable.  Especially on Intel's SMT
implementation which is better known as Hypter-threading.  We really
should not run different security domains on different processor
threads of the same core.  Unfortunately changing our scheduler to
take this into account is far from trivial.  Since many modern
machines no longer provide the ability to disable Hyper-threading in
the BIOS setup, provide a way to disable the use of additional
processor threads in our scheduler.  And since we suspect there are
serious risks, we disable them by default.  This can be controlled
through a new hw.smt sysctl.  For now this only works on Intel CPUs
when running OpenBSD/amd64.  But we're planning to extend this feature
to CPUs from other vendors and other hardware architectures.

Note that SMT doesn't necessarily have a posive effect on performance;
it highly depends on the workload.  In all likelyhood it will actually
slow down most workloads if you have a CPU with more than two cores.

ok deraadt@

1 files changed, 5 insertions, 1 deletions

diff --git a/sys/kern/kern_sysctl.c b/sys/kern/kern_sysctl.c
index 43433d18d6b..3b4c0071bd7 100644
--- a/sys/kern/kern_sysctl.c
+++ b/sys/kern/kern_sysctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_sysctl.c,v 1.341 2018/06/02 16:38:21 bluhm Exp $	*/
+/*	$OpenBSD: kern_sysctl.c,v 1.342 2018/06/19 19:29:52 kettenis Exp $	*/
 /*	$NetBSD: kern_sysctl.c,v 1.17 1996/05/20 17:49:05 mrg Exp $	*/
 
 /*-
@@ -782,6 +782,10 @@ hw_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp,
 			    allowpowerdown));
 		return (sysctl_int(oldp, oldlenp, newp, newlen,
 		    &allowpowerdown));
+#ifdef __HAVE_CPU_TOPOLOGY
+	case HW_SMT:
+		return (sysctl_hwsmt(oldp, oldlenp, newp, newlen));
+#endif
 	default:
 		return (EOPNOTSUPP);
 	}