牺牲我的CPU性能的30% (通过禁用超级线程)，以充分减轻CPU漏洞，必要吗？

Question

但是，在帮助页面中，我发现了--paranoid开关，这导致大约一半以后的CVEs变成红色。我读到了它告诉我的东西，为了完全缓解，我不得不使用disable超线程，它吓了我一点点，所以我最好这样做，结果只剩下一个红旗(CVE-2018-3646 = L1D无条件刷新应该启用以完全减轻漏洞)。

我使用LinuxMint19.2作为我的主要操作系统，在Windows 10 Pro 1903中没有花费任何实际可测量的时间，但我不知道比Windows更好的基准测试，无论如何，我只是运行了一系列非常快速的测试，不管有没有超线程，它似乎切断了我大约20-30%的性能(我不知道有多重要，但仍在继续)。由于我显然是为了更好的表现，我不明白为什么超线程已经成为这样一个安全漏洞。总之，我有一个不同的，希望是直截了当的问题给你在底部。

笔记本电脑:戴尔Inspiron 15，最新的BIOS (1.8.0，链接以获取详细信息)。

处理器:英特尔(Intel)核心™i7-7700HQ (链接到™)。

Linux :4.15.0-65-泛型；完整uname -a：

Linux dell-7577 4.15.0-65-generic #74-Ubuntu SMP Tue Sep 17 17:06:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

为了完整起见，我在--paranoid开关上添加了帮助中的信息：

--paranoid      require IBPB to deem Variant 2 as mitigated
                also require SMT disabled + unconditional L1D flush to deem Foreshadow-NG VMM as mitigated
                also require SMT disabled to deem MDS vulnerabilities mitigated

实际问题

是否还有其他方法可以解决这些漏洞，比如升级到另一个版本的内核，或者等待新的BIOS，或者从某种意义上说，BIOS更新或OS内核或诸如此类的东西都无法弥补这一结果？

当超线程启用时，它将显示如下：

Spectre and Meltdown mitigation detection tool v0.42

Checking for vulnerabilities on current system
Kernel is Linux 4.15.0-65-generic #74-Ubuntu SMP Tue Sep 17 17:06:04 UTC 2019 x86_64
CPU is Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates IBRS capability:  YES  (SPEC_CTRL feature bit)
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  YES 
    * CPU indicates IBPB capability:  YES  (SPEC_CTRL feature bit)
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates STIBP capability:  YES  (Intel STIBP feature bit)
  * Speculative Store Bypass Disable (SSBD)
    * CPU indicates SSBD capability:  YES  (Intel SSBD)
  * L1 data cache invalidation
    * FLUSH_CMD MSR is available:  YES 
    * CPU indicates L1D flush capability:  YES  (L1D flush feature bit)
  * Microarchitecture Data Sampling
    * VERW instruction is available:  YES  (MD_CLEAR feature bit)
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO 
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO 
  * CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO):  NO 
  * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO):  NO 
  * CPU/Hypervisor indicates L1D flushing is not necessary on this system:  NO 
  * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA):  NO 
  * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO):  NO 
  * CPU supports Software Guard Extensions (SGX):  YES 
  * CPU microcode is known to cause stability problems:  NO  (model 0x9e family 0x6 stepping 0x9 ucode 0xb4 cpuid 0x906e9)
  * CPU microcode is the latest known available version:  YES  (latest version is 0xb4 dated 2019/04/01 according to builtin MCExtractor DB v111 - 2019/05/18)
* CPU vulnerability to the speculative execution attack variants
  * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass):  YES 
  * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection):  YES 
  * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load):  YES 
  * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read):  YES 
  * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass):  YES 
  * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault):  YES 
  * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault):  YES 
  * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault):  YES 
  * Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)):  YES 
  * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)):  YES 
  * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)):  YES 
  * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)):  YES 

CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass'
* Mitigated according to the /sys interface:  YES  (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
* Kernel has array_index_mask_nospec:  YES  (1 occurrence(s) found of x86 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch:  NO 
* Kernel has mask_nospec64 (arm64):  NO 
> STATUS:  NOT VULNERABLE  (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)

CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
* Mitigated according to the /sys interface:  YES  (Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling)
* Mitigation 1
  * Kernel is compiled with IBRS support:  YES 
    * IBRS enabled and active:  YES  (for firmware code only)
  * Kernel is compiled with IBPB support:  YES 
    * IBPB enabled and active:  YES 
* Mitigation 2
  * Kernel has branch predictor hardening (arm):  NO 
  * Kernel compiled with retpoline option:  YES 
    * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
  * Kernel supports RSB filling:  YES 
> STATUS:  NOT VULNERABLE  (Full retpoline + IBPB are mitigating the vulnerability)

CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load'
* Mitigated according to the /sys interface:  YES  (Mitigation: PTI)
* Kernel supports Page Table Isolation (PTI):  YES 
  * PTI enabled and active:  YES 
  * Reduced performance impact of PTI:  YES  (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
* Running as a Xen PV DomU:  NO 
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

CVE-2018-3640 aka 'Variant 3a, rogue system register read'
* CPU microcode mitigates the vulnerability:  YES 
> STATUS:  NOT VULNERABLE  (your CPU microcode mitigates the vulnerability)

CVE-2018-3639 aka 'Variant 4, speculative store bypass'
* Mitigated according to the /sys interface:  YES  (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
* Kernel supports disabling speculative store bypass (SSB):  YES  (found in /proc/self/status)
* SSB mitigation is enabled and active:  YES  (per-thread through prctl)
* SSB mitigation currently active for selected processes:  YES  (ModemManager systemd-journald systemd-localed systemd-logind systemd-resolved systemd-timesyncd systemd-udevd vnstatd)
> STATUS:  NOT VULNERABLE  (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)

CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'
* CPU microcode mitigates the vulnerability:  YES 
> STATUS:  NOT VULNERABLE  (your CPU microcode mitigates the vulnerability)

CVE-2018-3620 aka 'Foreshadow-NG (OS), L1 terminal fault'
* Mitigated according to the /sys interface:  YES  (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable)
* Kernel supports PTE inversion:  YES  (found in kernel image)
* PTE inversion enabled and active:  YES 
> STATUS:  NOT VULNERABLE  (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable)

CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
* Information from the /sys interface: Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable
* This system is a host running a hypervisor:  YES  (paranoid mode)
* Mitigation 1 (KVM)
  * EPT is disabled:  NO 
* Mitigation 2
  * L1D flush is supported by kernel:  YES  (found flush_l1d in /proc/cpuinfo)
  * L1D flush enabled:  YES  (conditional flushes)
  * Hardware-backed L1D flush supported:  YES  (performance impact of the mitigation will be greatly reduced)
  * Hyper-Threading (SMT) is enabled:  YES 
> STATUS:  VULNERABLE  (enable L1D unconditional flushing and disable Hyper-Threading to fully mitigate the vulnerability)

CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)'
* Mitigated according to the /sys interface:  YES  (Mitigation: Clear CPU buffers; SMT vulnerable)
* Kernel supports using MD_CLEAR mitigation:  YES  (md_clear found in /proc/cpuinfo)
* Kernel mitigation is enabled and active:  YES 
* SMT is either mitigated or disabled:  NO 
> STATUS:  VULNERABLE  (Your kernel and microcode partially mitigate the vulnerability, but you must disable SMT (Hyper-Threading) for a complete mitigation)

CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)'
* Mitigated according to the /sys interface:  YES  (Mitigation: Clear CPU buffers; SMT vulnerable)
* Kernel supports using MD_CLEAR mitigation:  YES  (md_clear found in /proc/cpuinfo)
* Kernel mitigation is enabled and active:  YES 
* SMT is either mitigated or disabled:  NO 
> STATUS:  VULNERABLE  (Your kernel and microcode partially mitigate the vulnerability, but you must disable SMT (Hyper-Threading) for a complete mitigation)

CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)'
* Mitigated according to the /sys interface:  YES  (Mitigation: Clear CPU buffers; SMT vulnerable)
* Kernel supports using MD_CLEAR mitigation:  YES  (md_clear found in /proc/cpuinfo)
* Kernel mitigation is enabled and active:  YES 
* SMT is either mitigated or disabled:  NO 
> STATUS:  VULNERABLE  (Your kernel and microcode partially mitigate the vulnerability, but you must disable SMT (Hyper-Threading) for a complete mitigation)

CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)'
* Mitigated according to the /sys interface:  YES  (Mitigation: Clear CPU buffers; SMT vulnerable)
* Kernel supports using MD_CLEAR mitigation:  YES  (md_clear found in /proc/cpuinfo)
* Kernel mitigation is enabled and active:  YES 
* SMT is either mitigated or disabled:  NO 
> STATUS:  VULNERABLE  (Your kernel and microcode partially mitigate the vulnerability, but you must disable SMT (Hyper-Threading) for a complete mitigation)

> SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:KO CVE-2018-12126:KO CVE-2018-12130:KO CVE-2018-12127:KO CVE-2019-11091:KO

UHD中的图像可以放大：

Answer 1

The的简短回答是:是的，但是只有当你需要那个安全的时候。

侧通道漏洞是一种不同的方法，软件可以通过直接读取或推断来确定数据存在于不应该访问的地方。防止这种情况的方法有很多种，但屏障的性质取决于系统的安全设计和攻击方法。

最常见的方法是低级别软件(固件、内核)阻止任何线程/应用程序发送危险的指令流，否则它们会稍微调整执行环境，使这些流变得无害。这通常会对性能产生影响，而安全性的改进通常是值得的。但是，如果不值得进行性能测试，您可以禁用这些缓解措施--更高的性能和更少的安全性始终是一种选择。

例如，熔毁保护认识到，当内核数据存在于用户访问内存中时，不可能进行保护，因此它将敏感内存页完全排除在用户上下文之外。这是一个性能上的损失，但是在软件中完全可以减少。如果Intel稍后修复硬件中的问题，则可以禁用KPTI。

更有侵扰性的方法是首先禁用导致漏洞的CPU功能。从某种意义上说，我们很幸运，这首先是一个选择--许多CPU功能根本无法配置。您可以选择每个内核同时执行多少个线程，但不能配置调度端口或重命名寄存器的数量。

对于一些幽灵变体来说，英特尔CPU上没有可行的软件障碍。禁用超线程可以消除当前CPU中的风险；同时，Intel正在设计新的CPU，使其不会受到当前攻击的攻击。

似乎不可能为这些漏洞开发完整的微码、BIOS或内核缓解--业界最优秀的人已经确定这是不可行的。这使得禁用功能是必要的，如果您想要不受该攻击方法的保护。我当然没有专门知识去制定更好的解决办法。

请注意，对于虚拟环境，虚拟机管理程序也可以在一定程度上降低风险(例如，VMware的SCAv2 CPU调度程序)。如果您的主机具有SCAv2或同等的保护，那么您可以让超线程启用，而不会被其他VM利用--只有运行在同一VM上的进程才会构成威胁。

从根本上说，This是一个风险接受的问题：考虑到利用这些漏洞的方式(有些困难；大多数情况下需要本地访问)，它值得损失30%的性能吗？

在一个陌生人可能共享CPU的云环境中，风险比强制执行应用程序白名单的本地管理环境更大。

安全性是一个频谱，它必须根据所有相关因素进行平衡:数据的价值、环境、性能要求和财务考虑。