One of processors

roberto · 9 February 2021 16:46

Hi.

I’m testing a Xeon E5-2620 and doing “lscpu” I get the following:

[root@bs cpu6]# lscpu
Architecture:          x86_64
CPU op-mode(s):        32-bit, 64-bit
Byte Order:            Little Endian
CPU(s):                12
On-line CPU(s) list:   0-5
Off-line CPU(s) list:  6-11
Thread(s) per core:    1
Core(s) per socket:    6
Socket(s):             1
Vendor ID:             GenuineIntel
CPU family:            6
Model:                 45
Model name:            Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz
Stepping:              7
CPU MHz:               2493.990
CPU max MHz:           2500.0000
CPU min MHz:           1200.0000
BogoMIPS:              3992.32
Virtualization:        VT-x
L1d cache:             32K
L1i cache:             32K
L2 cache:              256K
L3 cache:              15360K
Flags:                 fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid dca sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx lahf_lm epb pti ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid xsaveopt dtherm ida arat pln pts md_clear flush_l1d

I don’t understand one thing. Why does the following appear?

Off-line CPU(s) list: 6-11

Are they disabled? and if so, how can they be enabled?

Thanks.

pike_it · 9 February 2021 16:53

Question becomes: does IPFire really uses/is designed for more than 6 cores?
If the answer is “no”, straight to Virtualization…

roberto · 9 February 2021 17:07

Hi @pike_it thanks for reply.

I have already found the problem. If is check in automatic mode "Enable Simultaneous Multi.Threading (SMT) vulnerabilities are mitigated but works with half the processors or disables MultiThreading. If it is forced (Dangerous) appear the 12 threads.

Now, with SMT forced:

[root@bs ~]# lscpu
Architecture:          x86_64
CPU op-mode(s):        32-bit, 64-bit
Byte Order:            Little Endian
CPU(s):                12
On-line CPU(s) list:   0-11
Thread(s) per core:    2
Core(s) per socket:    6
Socket(s):             1
Vendor ID:             GenuineIntel
CPU family:            6
Model:                 45
Model name:            Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz
Stepping:              7
CPU MHz:               2006.491
CPU max MHz:           2500.0000
CPU min MHz:           1200.0000
BogoMIPS:              3992.37
Virtualization:        VT-x
L1d cache:             32K
L1i cache:             32K
L2 cache:              256K
L3 cache:              15360K
Flags:                 fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid dca sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx lahf_lm epb pti ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid xsaveopt dtherm ida arat pln pts md_clear flush_l1d

How bad are these vulnerabilities?

Regards.

roberto · 10 February 2021 07:15

A question for connoisseurs. If IPFire is hardened and you can’t run / install software not signed by the development team (that’s what I think), how much can Processor vulnerabilities affect?

Based on what I’ve been reading (as I understand it, please correct me if I’m wrong), these vulnerabilities are exploited when malicious software is run / installed on the computer that suffers the vulnerability and accesses memory areas that it shouldn’t. But this shouldn’t happen in IPFire, right?.

bbitsch · 10 February 2021 09:26

This isn’t completely right.
The kernel and the addons are signed, to my opinion. But you can install modules which are interpreted: shell scripts, perl programs, …
These can use the vulnerabilities. Further IPFire is composed of many open source programs, which can’t be checked completely against these. If all parts were hardened/checked for their own, we would not need a hardening of the composed system.
Just my 2c.

bonnietwin · 10 February 2021 10:27

You can also build addons and install them locally from the command line. This is what is done when people are testing out the creation of an addon before submitting it to the devs for inclusion in IPFire. There is no signing when you do this as the install is not being done via pakfire but manually from the command line.

If a bad player created a .ipfire addon package which had some additional code in it and someone installed that onto their IPFire then you would have some trojan software running on your system.
That is why the devs say that you should not install a .ipfire package from unknown source onto your IPfire system.
If you build the .ipfire yourself, then you control the source of all code used.
If you install a .ipfire from someone else then you are trusting that person.

There are always ways around things and things change constantly. The trick is to minimise the vulnerabilities as much as possible.

roberto · 10 February 2021 13:33

Thanks @bbitsch and @bonnietwin for the explanations. It has become very clear.

So if nothing is installed that is not in the official repository, there should be no problems, of course.

Thanks again.