MP 1,1-5,1 MacPro5,1: BootROM thread | 144.0.0.0.0

[MarkC426]

I just installed the HS security update (no problem).
In the apple guide to disable HT, you can check status in the system info panel.
There is no mention of HT when I click on hardware.......?

I know it has it, because when I render, activity monitor shows 800%

 

[tsialex]

I just installed the HS security update (no problem).
In the apple guide to disable HT, you can check status in the system info panel.
There is no mention of HT when I click on hardware.......?

I know it has it, because when I render, activity monitor shows 800%

No, only Mojave 10.14.5 have the new Overview hyper-threading status in the System Report.

 

[MarkC426]

Aahh, that explains it, thankyou.

 

[tsialex]

Apple just added this Microcode part on the
About the security content of macOS Mojave 10.14.5, Security Update 2019-003 High Sierra, Security Update 2019-003 Sierra support page:

MP5,1 Xeons didn't had any microcode updates and Intel don't plan to making it according to May 14, 2019 Microcode Revision Guidance.

 

[Squuiid]

Apple just added this Microcode part on the
About the security content of macOS Mojave 10.14.5, Security Update 2019-003 High Sierra, Security Update 2019-003 Sierra support page:

View attachment 837377

MP5,1 Xeons didn't had any microcode updates and Intel don't plan to making it according to May 14, 2019 Microcode Revision Guidance.

Hang on, presumably disabling HyperThreading is all that is necessary. Is this implying that both Microcodes and disabling HyperThreading are required for full mitigation?

 

[tsialex]

Hang on, presumably disabling HyperThreading is all that is necessary. Is this implying that both Microcodes and disabling HyperThreading are required for full mitigation?

One of the vulnerabilities from yesterday show that AES-NI instructions, Westmere supports AES-NI, can be exploited for data exfiltration and this one needs more that just hyper-threading to be disabled.

It's not just disabling SMT, you have to clear buffers between rings and Intel showed example kernel code to do that.

MSD attacks are a complex problem to mitigate and we will see new developments soon.

Microcodes updates mitigate things in the processor, needing less kernel clean-up. It's always better to have it.

 

[MarkC426]

Well I installed the HS update and the Mojave update on my other drive.
Booted into recovery in both versions and entered the terminal commands, but HT is still enabled.
Looks like it’s minimal browsing on my mac then.

Presumably what I entered from the Apple steps won’t cause any other issues.
nvram boot-args=“cwae=2”
nvram SMTDisable=%01

Maybe I am overthinking things.
I only visit legit sites, and never click on ads (macrumors a culprit for ads).

 

[Raunien]

Well I installed the HS update and the Mojave update on my other drive.
Booted into recovery in both versions and entered the terminal commands, but HT is still enabled.
Looks like it’s minimal browsing on my mac then.

Presumably what I entered from the Apple steps won’t cause any other issues.
nvram boot-args=“cwae=2”
nvram SMTDisable=%01

Maybe I am overthinking things.
I only visit legit sites, and never click on ads (macrumors a culprit for ads).

I also am unable to disable hyperthreading on 10.13.6 with the latest security updates. There is no way to view whether it is enabled/disabled either.

 

[Macschrauber]

adding another data:

did an untouched 5.1 Dual 12 core 2,66 mid 2010:

started from MP51.007F
zapped Pram 3 times in a row to clear old stuff

with an EFI GPU:
High Sierra installer did MP51.0089.B00

with a metal GPU without EFI:
Mojave full installer 10.14.5 did 144.0.0.0.0

threw in a pair of X5690
all went smooth, no problems at all

 

[tsialex]

I also am unable to disable hyperthreading on 10.13.6 with the latest security updates. There is no way to view whether it is enabled/disabled either.

Check the cores being used with Activity Monitor.

Apple will need do implement the hyper-threading status for 10.12.6/10.13.6 too.

 

[Raunien]

Check the cores being used with Activity Monitor.

Apple will need do implement the hyper-threading status for 10.12.6/10.13.6 too.

All 12 logical cores still used.

Running the command below returns:

$ sysctl hw.physicalcpu hw.logicalcpu

hw.physicalcpu: 6
hw.logicalcpu: 12

This command supposedly returns enabled/disabled (https://derflounder.wordpress.com/2...oarchitectural-data-sampling-vulnerabilities/)
/usr/sbin/system_profiler SPHardwareDataType | /usr/bin/awk '/Hyper-Threading Technology: / { print $3 }'

But on 10.13.6 it doesn't return anything.

 

[Raunien]

Upon further reading, I think MP 5,1's are unable to fully disable HT. Someone please correct me if I'm wrong.

https://support.apple.com/en-us/HT210107

These Mac models may receive security updates in macOS Mojave, High Sierra or Sierra, but are unable to support the fixes and mitigations due to a lack of microcode updates from Intel.

• MacBook (13-inch, Late 2009)
• MacBook (13-inch, Mid 2010)
• MacBook Air (13-inch, Late 2010)
• MacBook Air (11-inch, Late 2010)
• MacBook Pro (17-inch, Mid 2010)
• MacBook Pro (15-inch, Mid 2010)
• MacBook Pro (13-inch, Mid 2010)
• iMac (21.5-inch, Late 2009)
• iMac (27-inch, Late 2009)
• iMac (21.5-inch, Mid 2010)
• iMac (27-inch, Mid 2010)
• Mac mini (Mid 2010)
• Mac Pro (Late 2010)

 

[tsialex]

This command supposedly returns enabled/disabled (https://derflounder.wordpress.com/2...oarchitectural-data-sampling-vulnerabilities/)
/usr/sbin/system_profiler SPHardwareDataType | /usr/bin/awk '/Hyper-Threading Technology: / { print $3 }'

But on 10.13.6 it doesn't return anything.

SPHardwareDataType is exactly the System Report>Hardware Overview. Since only 10.14.5 SPHardwareDataType have Hyper-Threading status, that command shown will not work with anything older that 10.14.5.

See here for 10.13.6 SPHardwareDataType:

 

[Raunien]

SPHardwareDataType is exactly the System Report>Hardware Overview. Since only 10.14.5 SPHardwareDataType have Hyper-Threading status, that command shown will not work with anything older that 10.14.5.

See here for 10.13.6 SPHardwareDataType:

View attachment 837443

That makes sense. I still don’t think disabling HT is possible on <10.14 just using the nvram commands Apple has on its support page. The logical cores still show up. Actually, I’m not even sure if it’s possible on 10.14.5. Someone please prove me wrong.

 

[tsialex]

That makes sense. I still don’t think disabling HT is possible on <10.14 just using the nvram commands Apple has on its support page. The logical cores still show up. Actually, I’m not even sure if it’s possible on 10.14.5. Someone please prove me wrong.

Disabling Hyper-Threading works perfectly with 10.13.6 + Security Update 2019-003:

This is from Recovery, grabbed manually via screencapture command:

Now, after Hyper-Threading disabling and shutdown:

system_profiler SPHardwareDataType; sysctl machdep.cpu.brand_string; sysctl hw.physicalcpu hw.logicalcpu

Edit:

144.0.0.0.0 is a pre-requisite for SMTDisable plus 10.12.6 + 2019-003, or 10.13.6 + 2019-003 or 10.14.5.

Since it's a NVRAM setting, you do it once, all your macOS installs that have the mitigation (10.12.6 + 2019-003, or 10.13.6 + 2019-003 or 10.14.5) will respect that.

 

[Raunien]

Disabling Hyper-Threading works perfectly with 10.13.6 + Security Update 2019-003:

This is from Recovery, grabbed manually via screencapture command:

View attachment 837450

Now, after Hyper-Threading disabling and shutdown:

View attachment 837451

That’s good to hear. I wonder why the commands don’t work for me. Nvram -x shows the same for me. Do you have to be on 144.0.0.0 bootrom for it to work?

 

[tsialex]

That’s good to hear. I wonder why the commands don’t work for me. Nvram -x shows the same for me. Do you have to be on 144.0.0.0 bootrom for it to work?

Don't really know, I'm on 144.0.0.0.0.

 

[AlexMaximus]

Don't really know, I'm on 144.0.0.0.0.

Thanks Alex for this extensive research, this blog is very helpful.
One question on the side from a college of mine, - he got a 5,1 with 140.0.0 and did just the regular 10.14.5 upgrade in the store without doing the real new combo Update to Update to bootrom 144.0.0. as well. - Everything works fine so far. Would you recommend to Update from 140.0 to 144.0 - or is it really cosmetic for most users?

 

[tsialex]

Thanks Alex for this extensive research, this blog is very helpful.
One question on the side from a college of mine, - he got a 5,1 with 140.0.0 and did just the regular 10.14.5 upgrade in the store without doing the real new combo Update to Update to bootrom 144.0.0. as well. - Everything works fine so far. Would you recommend to Update from 140.0 to 144.0 - or is it really cosmetic for most users?

I talked about this before, 144.0.0.0.0 has a lot of improvements and corrections and it's needed for the Hyper-threading disable.

Everyone should upgrade to 144.0.0.0.0 now.

 

[TzunamiOSX]

I talked about this before, 144.0.0.0.0 has a lot of improvements and corrections and it's needed for the Hyper-threading disable.

Everyone should upgrade to 144.0.0.0.0 now.

Im on 10.13.6 with HFS Volumen and 140.0.0.0.0 and Hyper-threading disable is not working.

Is there a "Stand-Alone" firmware update as we had with 140.0.0.0.0? I dont want to risk a APFS conversion.

 

[tsialex]

Im on 10.13.6 with HFS Volumen and 140.0.0.0.0 and Hyper-threading disable is not working.

Is there a "Stand-Alone" firmware update as we had with 140.0.0.0.0? I dont want to risk a APFS conversion.

Apple stopped stand alone firmware upgrades for Mac Pros in 2013.

 

[LightBulbFun]

im curious has anyone tested the hyper-threading disable NVRAM command on an old bootROM version or such?

im curious if its one of those EFI NVRAM variables thats always been there but no ones really found it, until apple had a need to make it public

(a bit like the NVRAM variable that disables the dGPU on MBPs)

I have a 2009 Xserve I want to test it on, since that has a suitably old BootROM, but also has CPUs that support hyper threading, but due to back pains it might take me a while to drag it out and set it up.

 

[tsialex]

im curious has anyone tested the hyper-threading disable NVRAM command on an old bootROM version or such?

im curious if its one of those EFI NVRAM variables thats always been there but no ones really found it, until apple had a need to make it public

(a bit like the NVRAM variable that disables the dGPU on MBPs)

I have a 2009 Xserve I want to test it on, since that has a suitably old BootROM, but also has CPUs that support hyper threading, but due to back pains it might take me a while to drag it out and set it up.

@Raunien tested 138.0.0.0.0 and won’t work. @TzunamiOSX tested 140.0.0.0.0 and won’t work too. I downgraded to 142.0.0.0.0 to test and totally forgot that I changed my single CPU tray to W3680
[doublepost=1558099590][/doublepost]

 

[TzunamiOSX]

Apple stopped stand alone firmware upgrades for Mac Pros in 2013.

i have updated to 140.0.0.0.0 without system install, i think it was with the RecoveryHDMetaDmg. is this also possible for 144.0.0.0.0?

a link or small guide would be nice.

 

[tsialex]

I just downgraded to 142.0.0.0.0 and redid all the SMTDisable process again to see if you can disable Hyper-threading with past BootROM versions, @Raunien tested 138.0.0.0.0 and @TzunamiOSX tested 140.0.0.0.0.

This is the result:

So, you can only disable Hyper-Threading with BootROM 144.0.0.0.0

Edit:

144.0.0.0.0 is a pre-requisite for SMTDisable plus 10.12.6 + 2019-003, or 10.13.6 + 2019-003 or 10.14.5.

Since it's a NVRAM setting, you do it once, all your macOS installs that have the mitigation (10.12.6 + 2019-003, or 10.13.6 + 2019-003 or 10.14.5) will respect that.