← Back to context

Comment by JBiserkov

8 years ago

One way to achieve something similar would be via a software tool which would set the process affinity to only run on real cores.

Or you could only run Chrome (untrusted JavaScript) on core 2 and 3, and run the app that has your secrets on core 0 and 1. (It is my understanding that 2k cores are real, and 2k+1 is their matching, "virtual" core) This way you get both hyperthreading and security. I'm not a security expert though.

https://bitsum.com/docs/pl/Using%20the%20GUI/using_the_gui.h...

2 comments

JBiserkov

Reply
mehrdadn  8 years ago

I'm not sure it would be that easy since I believe e.g. I/O can go through the System process (or other processes even), which has full affinity. We'd likely have to set thread affinities for all processes/threads. But then it would clash with manually-set affinities, and I'm also not sure if it would have worse performance than actually disabling hyper-threading or not.

Right now I'm looking at what making a UEFI application to disable HT before boot might involve... not sure if that's too late in the boot process or not.

Liquid_Fire  8 years ago

> It is my understanding that 2k cores are real, and 2k+1 is their matching, "virtual" core)

I'm not sure that's true. For example, on a i7-4770 I get:

  $ cat /sys/devices/system/cpu/cpu[0-3]/topology/thread_siblings_list
  0,4
  1,5
  2,6
  3,7

(Of course, that might just be Linux renumbering them)