Disabling SMT (hyperthreading) in ArchLabs


#22

Yea later tonight I’ll post a couple scrots of before/after with/without the firmware disable in place.


#23

Hi, is not it possible to create a script to add to autostart openbox or / usr / bin /?


#24

So it’s probably not what you are expecting.


With out any disables in place

CPU NODE SOCKET CORE L1d:L1i:L2:L3 ONLINE MAXMHZ    MINMHZ
0   0    0      0    0:0:0:0       yes    4400.0000 800.0000
1   0    0      0    0:0:0:0       yes    4400.0000 800.0000
2   0    0      1    1:1:1:0       yes    4400.0000 800.0000
3   0    0      1    1:1:1:0       yes    4400.0000 800.0000
4   0    0      2    2:2:2:0       yes    4400.0000 800.0000
5   0    0      2    2:2:2:0       yes    4400.0000 800.0000
6   0    0      3    3:3:3:0       yes    4400.0000 800.0000
7   0    0      3    3:3:3:0       yes    4400.0000 800.0000

With the software disable in place (echo 0 > CPU_NUM)

CPU NODE SOCKET CORE L1d:L1i:L2:L3 ONLINE MAXMHZ    MINMHZ
0   0    0      0    0:0:0:0       yes    4400.0000 800.0000
1   -    -      -    :::           no     4400.0000 800.0000
2   0    0      1    1:1:1:0       yes    4400.0000 800.0000
3   -    -      -    :::           no     4400.0000 800.0000
4   0    0      2    2:2:2:0       yes    4400.0000 800.0000
5   -    -      -    :::           no     4400.0000 800.0000
6   0    0      3    3:3:3:0       yes    4400.0000 800.0000
7   -    -      -    :::           no     4400.0000 800.0000

With the firmware disable

CPU NODE SOCKET CORE L1d:L1i:L2:L3 ONLINE MAXMHZ    MINMHZ
0   0    0      0    0:0:0:0       yes    4400.0000 800.0000
1   0    0      1    1:1:1:0       yes    4400.0000 800.0000
2   0    0      2    2:2:2:0       yes    4400.0000 800.0000
3   0    0      3    3:3:3:0       yes    4400.0000 800.0000


#25

Yea for sure, though it will need to be executed as root so you’ll also need to add an exception to the sudoers to allow running it as root without needing to enter a password, other commands have this as well, like reboot, shutdown, etc.

The better solution is to simply create a udev rule as suggested originally by HoaS.


#26

That’s brilliant, thanks, the online cpus seems to be the same as with the software approach so that’s good.

I was thinking of making a custom unit file for systemd to toggle the hyperthreads, that might be useful.


#27

Disabled HT in the BIOS as well. Thanks for the link/tip.
I am wondering, though:
What patch exactly will fix this security issue? Kernel update in due time? Or will this have to be fixed on the BIOS level?


#28

Hopefully.

The problem here though is that hyperthreading is broken by design, this was made obvious by the Spectre/Meltdown fiasco but the Linux Foundation (of which Intel are a member) are keen to downplay this.


#29

Naturally…
Mhm okay let’s see what happens… if you are going to follow up on this anyway, please make sure to keep us updated here, I for one would very much appreciate it!


#30

I added these rules and called them:
00-nosmt_cpu5.rules
is
00-nosmt_cpu7.rules
but they do not work, where am I wrong?

# /etc/udev/rules.d/00-nosmt_cpu7.rules ACTION=="add|change", KERNEL=="cpu7", SUBSYSTEM=="cpu", DRIVER=="processor", ATTR{online}="0"

# /etc/udev/rules.d/00-nosmt_cpu7.rules ACTION=="add|change", KERNEL=="cpu7", SUBSYSTEM=="cpu", DRIVER=="processor", ATTR{online}="0"
why the 1 and 3 rules work.
and not 5 and 7.
Thank for help
Sig.


#31

Yes, I will keep the thread updated, don’t worry.

It is possible to check yourself though:

empty@buster:~ $ grep -R . /sys/devices/system/cpu/vulnerabilities/                                                                                                                                                
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB, IBRS_FW
/sys/devices/system/cpu/vulnerabilities/l1tf:Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
empty@buster:~ $

^ The l1tf line currently shows that my box is vulnerable to SMT exploits, that will change when (if?) they fix it.

No idea, thanks for reporting back.

Just to be sure: you do have the ACTION phrase and the following section on it’s own line, right?

Your post appears to have the comment on the same line, which would mean that the rule is not read.

If the rules are correct but not working then I will have to write a custom unit file for systemd to disable the threads instead, that should work.

I’ll be back :slight_smile:


#32

Thanks for the quick reply.
For safety I deleted the line but with the same result.
they only work two

[don@don-pc ~]$ lscpu --extended
CPU NODE SOCKET CORE L1d:L1i:L2:L3 ONLINE MAXMHZ    MINMHZ
0   0    0      0    0:0:0:0       si     2401,0000 1200,0000
1   -    -      -    :::           no     2401,0000 1200,0000
2   0    0      1    1:1:1:0       si     2401,0000 1200,0000
3   -    -      -    :::           no     2401,0000 1200,0000
4   0    0      2    2:2:2:0       si     2401,0000 1200,0000
5   0    0      2    2:2:2:0       si     2401,0000 1200,0000
6   0    0      3    3:3:3:0       si     2401,0000 1200,0000
7   0    0      3    3:3:3:0       si     2401,0000 1200,0000
[don@don-pc ~]$ 

:astonished::sob:


#33

OK, here is the custom unit file:

# /etc/systemd/system/nosmt.service
[Unit]
Description=Disable SMT

[Service]
ExecStart=/usr/local/bin/nosmt

[Install]
WantedBy=multi-user.target

And here is the /usr/local/bin/nosmt script:

#!/bin/sh
for n in 1 3
   do echo 0 > /sys/devices/system/cpu/cpu${n}/online
done

^ That’s for my hardware, edit it to match the machine.

Save both those files and make the script executable with chmod +x /usr/local/bin/nosmt and then enable the .service:

systemctl enable --now nosmt.service

This method works for me, any feedback from others would be appreciated :slight_smile:

(Remember to remove the udev rules before testing though.)


#34

I solved giving it from linux-zen
sudo mkinitcpio -p linux I restarted the second kernel and the action worked.

[don@don-pc ~]$ lscpu --extended
CPU NODE SOCKET CORE L1d:L1i:L2:L3 ONLINE MAXMHZ    MINMHZ
0   0    0      0    0:0:0:0       si     2401,0000 1200,0000
1   -    -      -    :::           no     2401,0000 1200,0000
2   0    0      1    1:1:1:0       si     2401,0000 1200,0000
3   -    -      -    :::           no     2401,0000 1200,0000
4   0    0      2    2:2:2:0       si     2401,0000 1200,0000
5   -    -      -    :::           no     2401,0000 1200,0000
6   0    0      3    3:3:3:0       si     2401,0000 1200,0000
7   -    -      -    :::           no     2401,0000 1200,0000
[don@don-pc ~]$ uname -a
Linux don-pc 4.8.14-1-ARCH #1 SMP PREEMPT Sun Dec 11 01:47:53 UTC 2016 x86_64 GNU/Linux
[don@don-pc ~]$ 

Then I started from the normal kenel and I gave it

mkinitcpio -p linux-zen

I restarted from zen and everything works.

[don@don-pc ~]$ sudo mkinitcpio -p linux-zen
[sudo] password di don: 
==> Building image from preset: /etc/mkinitcpio.d/linux-zen.preset: 'default'
  -> -k /boot/vmlinuz-linux-zen -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-zen.img
==> Starting build: 4.18.16-zen1-1-zen
  -> Running build hook: [base]
  -> Running build hook: [udev]
  -> Running build hook: [autodetect]
  -> Running build hook: [modconf]
  -> Running build hook: [block]
  -> Running build hook: [filesystems]
  -> Running build hook: [keyboard]
  -> Running build hook: [fsck]
==> Generating module dependencies
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux-zen.img
==> Image generation successful
==> Building image from preset: /etc/mkinitcpio.d/linux-zen.preset: 'fallback'
  -> -k /boot/vmlinuz-linux-zen -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-zen-fallback.img -S autodetect
==> Starting build: 4.18.16-zen1-1-zen
  -> Running build hook: [base]
  -> Running build hook: [udev]
  -> Running build hook: [modconf]
  -> Running build hook: [block]
  -> Running build hook: [filesystems]
  -> Running build hook: [keyboard]
  -> Running build hook: [fsck]
==> Generating module dependencies
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux-zen-fallback.img
==> Image generation successful
[don@don-pc ~]$ uname -a
Linux don-pc 4.8.14-1-ARCH #1 SMP PREEMPT Sun Dec 11 01:47:53 UTC 2016 x86_64 GNU/Linux
[don@don-pc ~]$ 
[don@don-pc ~]$ uname -a
Linux don-pc 4.18.16-zen1-1-zen #1 ZEN SMP PREEMPT Sat Oct 20 22:06:49 UTC 2018 x86_64 GNU/Linux
[don@don-pc ~]$ lscpu --extended
CPU NODE SOCKET CORE L1d:L1i:L2:L3 ONLINE MAXMHZ    MINMHZ
0   0    0      0    0:0:0:0       si     2401,0000 1200,0000
1   -    -      -    :::           no     2401,0000 1200,0000
2   0    0      1    1:1:1:0       si     2401,0000 1200,0000
3   -    -      -    :::           no     2401,0000 1200,0000
4   0    0      2    2:2:2:0       si     2401,0000 1200,0000
5   -    -      -    :::           no     2401,0000 1200,0000
6   0    0      3    3:3:3:0       si     2401,0000 1200,0000
7   -    -      -    :::           no     2401,0000 1200,0000
[don@don-pc ~]$ sudo mkinitcpio -p linux-zen

thank you @Head_on_a_Stick and shake me for the trouble caused unnecessarily

Ps)in case it should return to not work in the next days I will try the service that I posted


#35

nothing at the restart, this afternoon, this came out from the terminal, now I try the custom unit method.

[don@don-pc ~]$ lscpu --extended
CPU NODE SOCKET CORE L1d:L1i:L2:L3 ONLINE MAXMHZ    MINMHZ
0   0    0      0    0:0:0:0       si     2401,0000 1200,0000
1   -    -      -    :::           no     2401,0000 1200,0000
2   0    0      1    1:1:1:0       si     2401,0000 1200,0000
3   0    0      1    1:1:1:0       si     2401,0000 1200,0000
4   0    0      2    2:2:2:0       si     2401,0000 1200,0000
5   0    0      2    2:2:2:0       si     2401,0000 1200,0000
6   0    0      3    3:3:3:0       si     2401,0000 1200,0000
7   0    0      3    3:3:3:0       si     2401,0000 1200,0000
[don@don-pc ~]$ 

#36

Not working.
Sig.

● nosmt.service - Disable SMT
   Loaded: loaded (/etc/systemd/system/nosmt.service; enabled; vendor preset: d>
   Active: failed (Result: exit-code) since Tue 2018-11-06 14:05:26 CET; 5s ago
  Process: 2899 ExecStart=/usr/local/bin/nosmt (code=exited, status=203/EXEC)
 Main PID: 2899 (code=exited, status=203/EXEC)

nov 06 14:05:26 don-pc systemd[1]: Started Disable SMT.
nov 06 14:05:26 don-pc systemd[1]: nosmt.service: Main process exited, code=exi>
nov 06 14:05:26 don-pc systemd[1]: nosmt.service: Failed with result 'exit-code>
lines 1-9/9 (END)
[don@don-pc ~]$ lscpu --extended
CPU NODE SOCKET CORE L1d:L1i:L2:L3 ONLINE MAXMHZ    MINMHZ
0   0    0      0    0:0:0:0       si     2401,0000 1200,0000
1   0    0      0    0:0:0:0       si     2401,0000 1200,0000
2   0    0      1    1:1:1:0       si     2401,0000 1200,0000
3   0    0      1    1:1:1:0       si     2401,0000 1200,0000
4   0    0      2    2:2:2:0       si     2401,0000 1200,0000
5   0    0      2    2:2:2:0       si     2401,0000 1200,0000
6   0    0      3    3:3:3:0       si     2401,0000 1200,0000
7   0    0      3    3:3:3:0       si     2401,0000 1200,0000
[don@don-pc ~]$ 

#37

Did you remember to make the script executable?

Can we please see the output of

ls -l /usr/local/bin/nosmt
cat /usr/local/bin/nosmt

EDIT: did you remove the udev rules before testing the unit file?

The two methods may conflict.


#38

Updated version of nosmt.service:

[Unit]
Description=Disable SMT

[Service]
RemainAfterExit=yes
ExecStart=/usr/local/bin/nosmt
ExecStop=/usr/local/bin/onsmt

[Install]
WantedBy=multi-user.target

With a new /usr/local/bin/onsmt script:

#!/bin/sh
for n in 1 3
   do echo 1 > /sys/devices/system/cpu/cpu${n}/online
done

With these changes nosmt.service will now report itself as “active” when it has been run and if it is stopped then the ExecStop line will run the /usr/local/bin/onsmt script and re-enable the hyperthreads to give a boost when needed:

empty@buster:~ $ lscpu --extended                                                  
CPU NODE SOCKET CORE L1d:L1i:L2:L3 ONLINE MAXMHZ    MINMHZ
0   0    0      0    0:0:0:0       yes    2400.0000 1199.0000
1   -    -      -    :::           no     2400.0000 1199.0000
2   0    0      1    1:1:1:0       yes    2400.0000 1199.0000
3   -    -      -    :::           no     2400.0000 1199.0000
empty@buster:~ $ sudo systemctl stop nosmt
[sudo] password for empty: 
empty@buster:~ $ lscpu --extended                                                  
CPU NODE SOCKET CORE L1d:L1i:L2:L3 ONLINE MAXMHZ    MINMHZ
0   0    0      0    0:0:0:0       yes    2400.0000 1199.0000
1   0    0      0    0:0:0:0       yes    2400.0000 1199.0000
2   0    0      1    1:1:1:0       yes    2400.0000 1199.0000
3   0    0      1    1:1:1:0       yes    2400.0000 1199.0000
empty@buster:~ $

Neat or what? :slight_smile:


#39

yes.
executable and remove udev


#40

Not working

[don@don-pc ~]$ ls -l /usr/local/bin/nosmt
ls: impossibile accedere a '/usr/local/bin/nosmt': File o directory non esistente
[don@don-pc ~]$ ls -l /usr/
totale 344
drwxr-xr-x   6 root root 122880  6 nov 10.21 bin
drwxr-xr-x   3 root root   4096 29 dic  2017 etc
drwxr-xr-x 434 root root  36864  5 nov 12.03 include
drwxr-xr-x 207 root root 159744  6 nov 10.21 lib
drwxr-xr-x   2 root root   4096  3 set 19.07 lib32
lrwxrwxrwx   1 root root      3 21 ago 16.21 lib64 -> lib
drwxr-xr-x  11 root root   4096 25 ott  2017 local
lrwxrwxrwx   1 root root      3 21 ago 16.21 sbin -> bin
drwxr-xr-x 236 root root   4096  3 nov 17.58 share
drwxr-xr-x   2 root root   4096 26 mar  2017 src
[don@don-pc ~]$ ls -l /usr/local
totale 36
drwxr-xr-x 2 root root 4096  6 nov 18.40 bin
drwxr-xr-x 2 root root 4096 26 mar  2017 etc
drwxr-xr-x 2 root root 4096 26 mar  2017 games
drwxr-xr-x 2 root root 4096 26 mar  2017 include
drwxr-xr-x 2 root root 4096 26 mar  2017 lib
drwxr-xr-x 2 root root 4096 26 mar  2017 man
drwxr-xr-x 2 root root 4096 26 mar  2017 sbin
drwxr-xr-x 2 root root 4096 23 ago 17.22 share
drwxr-xr-x 2 root root 4096 26 mar  2017 src
[don@don-pc ~]$ ls -l /usr/local/bin/
totale 4
-rwxrwxr-x 1 root root 86  6 nov 18.40 'nosmt '
[don@don-pc ~]$ cat /usr/local/bin/
cat: /usr/local/bin/: È una directory
[don@don-pc ~]$ cat /usr/local/bin/nosmt\  
#!/bin/sh
for n in 1 3 5 7
   do echo 0 > /sys/devices/system/cpu/cpu${n}/online
done
[don@don-pc ~]$ 

#41

Why did you name it with a space after nosmt?

Try

sudo cp '/usr/local/bin/nosmt ' /usr/local/bin/nosmt