On Tue, Jul 25, 2017 at 05:14:45PM +0300, private user82 wrote: > I am concerned about the recent bug affecting Skylake and Kaby Lake gen Intel > processors - https://lists.debian.org/debian-devel/2017/06/msg00308.html > > As BIOS updates aren't yet available from many mobo manufacturers, how can we > Qubes users best defend ourselves against an exploit? In this post I am > hoping to reach out to someone who may be able to comment on how we can best > configure our platforms until a fix is available. > > Following the advice in the linked Debian advisory, I have disabled > hyper-threading in the BIOS settings. My questions are as follows: > > 1) When I check /proc/cpuinfo in dom0, 'ht' remains listed as a flag > (capability). Running $ lscpu in dom0 indicates that 'Threads per core: 1' so > I assume the BIOS has in fact disabled hyper-threading. Is this correct, or > should the flag also disappear when functionality is disabled in BIOS > settings? > > 2) Is it safe to run multiple VCPUs (up to the number of physical cores) for > each Guest VM. Or, in light of this bug, should we only be using a single > VCPU for each guest? > > Many thanks in advance.
I seem to recall that Xen used to advise disabling hyperthreading, and VMWare counsel against its use when provisioning vcpus. In general there's no advantage in assigning more than physical cores to any VM. On the specifics, I *think* that cpuinfo reports capabilities even if they have been diabled, so that isnt an issue. I dont see any issue in assigning multiple vcpus up to the number of physical cores. I dont think that bug is relevant to the decision. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170726142135.a3edgsqufzoqwibm%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
