Methods to disable simultaneous multithreading on Lenovo ThinkPads


Main side-channel exploits demonstrated the feasibility of applications extracting information from a program in an adjoining thread in the identical core. Here is how and why to guard your ThinkPad.

Simultaneous multithreading (SMT) is a standard characteristic present in fashionable processors, permitting a number of impartial threads to execute concurrently on one CPU core. For x86 processors, the primary to characteristic this potential was the Intel Pentium 4 (“Northwood”) household, launched in November 2002. These early CPUs featured two threads on one bodily core. For a contemporary comparability, the Core i7-8809G has 4 bodily cores, every with two threads, for a complete of eight logical cores. Intel markets their implementation of SMT as “Hyperthreading.”

Sadly, the safety implications of getting two threads occupy one bodily core weren’t totally thought-about when this characteristic was carried out. Two main side-channel exploits found in 2018, TLBleed and PortSmash, exhibit that it’s technically possible for a trojan horse working in a single thread in a given bodily core to extract information from the opposite thread in that bodily core. Proof-of-concept code of each is on the market publicly, although as of but, there isn’t any indication that both have been efficiently exploited by way of drive-by browser assaults.

SEE: Cybersecurity technique analysis: Widespread techniques, points with implementation, and effectiveness (Tech Professional Analysis)

Because of the threat that these exploits current, distributors of enterprise-grade laptops reminiscent of Lenovo have begun issuing BIOS updates, which permit customers the choice to disable SMT. These BIOS updates should be utilized manually. Lenovo gives an inventory of merchandise that are inclined to side-channel exploits, from which customers can obtain the newest BIOS package deal.

For Home windows customers, this may be carried out with an executable. Customers of Linux and various working programs can replace their BIOS utilizing a bootable CD picture. (For ThinkPad fashions with out an built-in optical drive, USB-connected optical drives can be utilized.) When updating the BIOS to your system, be certain that the system is plugged in to the mains utilizing an AC Adapter, and that the battery cost is full. Don’t unplug or flip off your system whereas the replace is being utilized.

Disabling SMT on a ThinkPad

Be aware: This information was written utilizing a ThinkPad W550s. Though ThinkPads share design cues and firmware to a big extent throughout the product line, actual steps to your mannequin might fluctuate.

Step 1: When powering on the system, press Enter to entry the Startup Interrupt Menu (Determine A).

Determine A

Step 2: Press F1 to enter the BIOS Setup Utility

Step 3: Use the left arrow key to pick the Config tab. Use the down arrow key to pick the CPU possibility. Press Enter (Determine B).

Determine B

Step 4: For the choice Intel ® Hyper-Threading Expertise press Enter to open the sub-menu. Use the down arrow to pick Disabled and press Enter to pick (Determine C).

Determine C

Step 5: Press F10 to avoid wasting the configuration modifications and exit (Determine D).

Determine D

Will disabling SMT lower efficiency on my ThinkPad?

It’s doable that disabling SMT will lower efficiency in your ThinkPad, although that is extremely workload dependent. Noticeable efficiency penalties are doable on applications which had been compiled for in depth SMT utilization. Of be aware, PC players usually disable SMT on computer systems to maximise single-thread efficiency, although this can be a very totally different viewers than ThinkPad customers.

Due to the safety implications of those side-channel assaults, a June 2018 replace to OpenBSD disabled SMT on the kernel degree. OpenBSD may be very security-conscious, and this degree of concern could also be unwarranted. Ben Gras, one of many researchers who found TLBleed, tweeted that “whereas a cool assault, TLBleed isn’t the brand new Spectre.”

Realistically, an outsized quantity of threat related to these side-channel vulnerabilities impacts cloud VM suppliers, because the code executed in VMs is inherently not reliable. This isn’t a priority for end-user workstations at current, as customers ought to solely run reliable software program (or have a bunch coverage to ban the execution of unknown software program). Nonetheless, if attackers develop into able to exploiting these vulnerabilities by means of JavaScript, the potential for drive-by assaults makes the danger publicity acceptably excessive.



Supply hyperlink