Hardware Vulnerabilities

There is a new GUI which will show you for which attacks your hardware is vulnerable and if mitigations are in place.

Because of the recent vulnerabilities in Intel processors, the IPFire team has decided, that - to keep systems as secure as possible - Simultaneous Multi-Processing (SMT) is automatically disabled if the processor is vulnerable to one of the attacks.

SMT is also called Intel(R) Hyper-Threading Technology and simulates more virtual cores than the system has. This allows to perform faster processing when applications benefit from it. Unfortunately with networking, we benefit from that. Therefore the effect of disabling SMT will be a very signifiant performance impact of around 30% or more. Applications that will be affected in IPFire are the firewall throughput itself as well as other CPU and memory-bound tasks like the web proxy and the Intrusion Prevention System. On systems that are not vulnerable for this attack, SMT is being left enabled. If you still want to disable it, please do so in the BIOS of your firewall.

We think that this step is inevitable to keep all IPFire systems secure. The mitigations that have been provided by the Linux kernel developers and the microcode updates that have been provided by Intel are not enough to close this vulnerability. Indeed the underlying hardware is broken and cannot be fixed.

Links

• IPFire Blog - More on Intel's Hardware Bugs (6 November 2018)
• IPFire Blog - Meltdown/Spectre - The chaotic story (12 January 2018)
• IPFire Blog - Security Announcement: Disabling SMT on affected Intel processors (22 May 2019)
• IPFire Blog - 32 bit is dead - Long live 32 bit (13 June 2019)
• IPFire Blog - IPFire 2.23 - Core Update 132 released (2019 June 7))