No MDS-style attack patching for older MacPros - now what?

[mrtang42]

Ha, yes, the highs and lows... I’ve been in negotiation this week to buy a backup single-processor cMP 5,1 in case anything fails on my main machine. Price is $300 with 16GB ram, so it seemed like a good deal; now with all the uncertainty around continued support I’m kind of wavering on the purchase...

Here in Seattle, you can find a duel CPU cMP 4,1 for that price in some electronic recycling store.

 

[Lycestra]

It's not understood yet how this apps like CPU-Setter do it. Apple solution uses the firmware to do it, so the kernel already boots with Hyper-Threading disabled.

For now, we need to understand even if the way these apps work really mitigates the MDS attacks.

Apple also has a checkbox in Instruments (part of Xcode) to disable it, but my limited checks seemed to show that the system profiler doesn't show either of these disable hyperthreading.. but that's according to system profiler. I've had a thought that these solutions might drop the number of enabled cores in half and expect the scheduler to prefer distributing running threads evenly among the physical cores before burdening them with a second simultaneous thread (hyperthreading), which would effectively not use hyperthreading if it actually works like that and the number of enabled logical cores matches the number of physical cores. Could also be that the system profiler check isn't checking hardware, but actually checking that your nvram is set to disable it, or some other non-hardware property of a so-configured system.

Just a few thoughts.

 

[racer]

I've upgraded to 144 and disabled HT to see if I could live with it.
I do some light VM work, photo editing, and office work. With my setup (see sig) apart from higher cpu activity in istat didn't notice any difference load wise.

btw: my hynix memory is recognised as 1333MHz with the new firmware, nice.

 

[MVMNT]

I guess if I do disable HT, I can always install that dual CPU tray i've just bought and not feel like it's taken a massive hit from what I already have, as it was usable for what I need.

 

[0134168]

Apple provided most mitigations with Safari. If you only use Safari, have good secure browsing habits and restrict which apps you install, you are reasonable safe even with SMT enabled.

Until a worm like Conficker is developed that can use the MDS vulnerabilities to exfiltrate data, probably via ad networks, common people (not targeted persons like Human rights activists around the globe, for example) should not worry to much. But if you are a targeted person, you shouldn't be using macOS anyway.

There are lot's of easier vectors than the MDS vulnerabilities. Remember that the most successful attacks are the social engineering ones. Don't click on everything, don't install everything. Use your best behaviour when on the internet, etc, etc.

Wise, as usual.

 

[The Spirit]

how can i disable HT?

 

[MarkC426]

https://forums.macrumors.com/thread...e-to-disable-hyper-threading.2132317/page-140
Refer to post #3481
FYI you need to be on fw 144 also

 

[MarkC426]

To re-enable HT, using Apple’s method with an nvram reset, what settings will this mess up?
Alternatively can you a do a ‘reverse’ typing in the terminal?

 

[MarkC426]

Again....doing an nvram reset, what will this mess up?
I understand it can effect the start up disk, if it changes my current disk selection to say my original hdd (snow leopard), with having an rx580 I would not be able to get back to proper startup disk.

 

[bsbeamer]

Have you taken the time to read this document from Apple?
https://support.apple.com/en-us/HT204063

Pretty easy way around disk selection issues if they arise and you cannot figure out ANY other workaround to resolve - only put ONE BOOTABLE DRIVE in the machine, then startup. If you have a drive with multiple partitions, it's a harder issue to workaround so would suggest you make a BOOTABLE CLONE (Carbon Copy Cloner) of the partition(s) to single SATA SSD/HDD drives.

There are many ways around this, however - search this forum...

 

[MarkC426]

Can you not restart again in recovery but instead of typing ‘nvram SMTDisable=%01’, is there a re-enabling command (maybe nvram SMTEnable=%01).

 

[tsialex]

Can you not restart again in recovery but instead of typing ‘nvram SMTDisable=%01’, is there a re-enabling command (maybe nvram SMTEnable=%01).

Just clear the NVRAM 3 times or delete each setting with nvram -d.

 

[AidenShaw]

Just clear the NVRAM 3 times or delete each setting with nvram -d.

What is the nonsense about clearing NVRAM more than once?

Reminds me of Solaris SPARC in the last millennium where the normal shutdown command was "sync; sync; sync; halt" (or something like that - flush the disks three times, then halt).

 

[tsialex]

What is the nonsense about clearing NVRAM more than once?

Reminds me of Solaris SPARC in the last millennium where the normal shutdown command was "sync; sync; sync; halt" (or something like that - flush the disks three times, then halt).

If you are not joking and really want to know:

Doing just one NVRAM cleaning process removes basic settings like default boot device, while three removes all user accessible settings and forces the reconfiguration of RAM parameters stored in the non user accessible part of the NVRAM, re-reading the SPD.

 

[AidenShaw]

If you are not joking and really want to know:

Doing just one NVRAM cleaning process removes basic settings like default boot device, while three removes all user accessible settings and forces the reconfiguration of RAM parameters stored in the non user accessible part of the NVRAM, re-reading the SPD.

Thank you. Yes, I really wanted to know.

 

[tsialex]

Thank you. Yes, I really wanted to know.

The process needs to be sequential, three times. If you do one and boot something, the deeper cleaning won't work.

Doing it three times clear other non-user accessible things too with older/non T2/T3 Macs, like iCloud account, user name, Wi-Fi credentials, etc.

 

[MarkC426]

That’s my point, I don’t want to have to set ‘everything’ up again.
I thought there may have been a ‘reverse’ command you could type in terminal to re-enable it.

I will probably have to take out my old 10.6 spinner, as that was the original drive, so presumably this would be set as the new startup disk after nvram, and my rx580 wouldn’t be recognised?

On a side note, would the xcode method work to temporarily activate HT (if it has been permanently turned off) or does it only work the other way.

 

[Demigod Mac]

Let's consider a typical user on this forum and their Mac.

Probably safe to assume that:
* Mac's OS is up to date
* Mac's web browser is up-to-date
* An adblock extension is installed (to block malvertising attacks)
* Mac is behind a router+firewall that has the latest firmware loaded
* The Mac's user is careful about file download sources

I'm curious how someone who takes all of the above precautions could realistically fall victim to an MDS attack,
to the point where the risk is great enough to be worth disabling hyperthreading and giving up the performance.

 

[AidenShaw]

where the risk is great enough to be worth disabling hyperthreading and giving up the performance

...weighed against the fact that hyperthreading seldom gives a big performance boost.

 

[MarkC426]

Let's consider a typical user on this forum and their Mac.

Probably safe to assume that:
* Mac's OS is up to date
* Mac's web browser is up-to-date
* An adblock extension is installed (to block malvertising attacks)
* Mac is behind a router+firewall that has the latest firmware loaded
* The Mac's user is careful about file download sources

I'm curious how someone who takes all of the above precautions could realistically fall victim to an MDS attack,
to the point where the risk is great enough to be worth disabling hyperthreading and giving up the performance.

What is a good adblocker, there are loads on the app store.
I don’t mind paying.

 

[crjackson2134]

I use Wipr. It works well on my cMP, iPads, and iPhones.

 

[MarkC426]

Hyperthreading disabled......again.