]>
Commit | Line | Data |
---|---|---|
6a83dbb4 | 1 | #!/bin/sh |
66c36198 PM |
2 | ############################################################################### |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5 | # Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> # | |
6 | # # | |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
6a83dbb4 MT |
21 | |
22 | . /etc/sysconfig/rc | |
23 | . ${rc_functions} | |
24 | ||
25 | eval $(/usr/local/bin/readhash /var/ipfire/main/security) | |
26 | ||
27 | case "${1}" in | |
28 | start) | |
29 | # Nothing to do here when SMT is forced on | |
30 | if [ "${ENABLE_SMT}" = "on" ]; then | |
31 | exit 0 | |
32 | fi | |
33 | ||
0bb25a4f MT |
34 | # Nothing to do when SMT is not enabled or not supported anyways |
35 | if [ "$(</sys/devices/system/cpu/smt/control)" != "on" ]; then | |
36 | exit 0 | |
559e94ba | 37 | fi 2>/dev/null |
6a83dbb4 | 38 | |
8531a950 | 39 | # Do not disable SMT inside virtual machines |
0e457b13 | 40 | if running_on_hypervisor; then |
8531a950 MT |
41 | exit 0 |
42 | fi | |
43 | ||
0bb25a4f MT |
44 | # Disable SMT when the processor is vulnerable to Foreshadow or Fallout/ZombieLoad/RIDL |
45 | for vuln in l1tf mds; do | |
46 | if [ -r "/sys/devices/system/cpu/vulnerabilities/${vuln}" ] && \ | |
894eaf51 | 47 | [[ "$(</sys/devices/system/cpu/vulnerabilities/${vuln})" =~ "SMT vulnerable" ]]; then |
0bb25a4f | 48 | # Disable SMT |
6a83dbb4 MT |
49 | boot_mesg "Disabling Simultaneous Multi-Threading (SMT)..." |
50 | echo "forceoff" > /sys/devices/system/cpu/smt/control | |
51 | echo_ok | |
0bb25a4f MT |
52 | |
53 | # No need to check any further when we have disabled SMT already | |
54 | break | |
6a83dbb4 | 55 | fi |
0bb25a4f | 56 | done |
6a83dbb4 MT |
57 | ;; |
58 | ||
59 | *) | |
60 | echo "Usage: ${0} {start}" | |
61 | exit 1 | |
62 | ;; | |
63 | esac |