Core-Scheduling For Linux 5.14 To Reduce SMT/HT Information Leak Risks, Side Channels
Among the early pull requests for the just-opened Linux 5.14 merge window are the scheduler updates that includes the introduction of Core Scheduling. The Core Scheduling functionality has been in the works for the past few years by multiple vendors for better securing SMT systems following various vulnerabilities coming to light around Hyper Threading.
Core-Scheduling is finally going mainline for Linux 5.14. Linux core scheduling has been worked on by hyperscalers and public cloud providers to improve security without disabling Hyper Threading. The functionality amounts to what resources can share a CPU core and ensuring potentially unsafe tasks don't run on a sibling thread of a trusted task. By ensuring trusted/untrusted tasks don't share a core by way of HT/SMT, they can more comfortably keep Hyper Threading enabled, which for public cloud providers is particularly important with the amount of "vCPUs" they can offer per server.
This coordinated scheduling across SMT siblings can be managed via new prctl() options around core scheduling groups for workloads that can share siblings with this quest to reduce information leaks and side channels. Core scheduling can also help in ensuring more deterministic performance on SMT systems.
Along with the Core Scheduling, other scheduler patches for Linux 5.14 include a new burstable CFS controller via cgroups for bursty CPU-bound workloads to borrow against their future quota. The scheduler work this cycle also has a number of fixes and other tweaks.
Ingo Molnar sent in those scheduler updates today along with the other areas of the kernel he oversees. Also worth calling out are timers/nohz updates with a number of optimizations there.
Core-Scheduling is finally going mainline for Linux 5.14. Linux core scheduling has been worked on by hyperscalers and public cloud providers to improve security without disabling Hyper Threading. The functionality amounts to what resources can share a CPU core and ensuring potentially unsafe tasks don't run on a sibling thread of a trusted task. By ensuring trusted/untrusted tasks don't share a core by way of HT/SMT, they can more comfortably keep Hyper Threading enabled, which for public cloud providers is particularly important with the amount of "vCPUs" they can offer per server.
This coordinated scheduling across SMT siblings can be managed via new prctl() options around core scheduling groups for workloads that can share siblings with this quest to reduce information leaks and side channels. Core scheduling can also help in ensuring more deterministic performance on SMT systems.
Along with the Core Scheduling, other scheduler patches for Linux 5.14 include a new burstable CFS controller via cgroups for bursty CPU-bound workloads to borrow against their future quota. The scheduler work this cycle also has a number of fixes and other tweaks.
Ingo Molnar sent in those scheduler updates today along with the other areas of the kernel he oversees. Also worth calling out are timers/nohz updates with a number of optimizations there.
9 Comments