Is HPET recommended for x86 instance?
Hello Community Experts, I found that to enable the HPET timer for x86 guests, the operator should set hw_time_hpet on the given image. By default, HPET is disabled. My question is what are the pros and cons for using HPET? Thanks. -- Best Regards, Jiatong Shen
On 27/10/2024 02:07, Jiatong Shen wrote:
Hello Community Experts,
I found that to enable the HPET timer for x86 guests, the operator should set hw_time_hpet on the given image.
Image properties are primarily for end users to express the requirements of images they upload rather then for operators, but they can be set by operators too.
By default, HPET is disabled. My question is what are the pros and cons for using HPET?
Its off by default because there some security concerns with access to the HPET and the minimal performance overhead it introduces. support was added in https://github.com/openstack/nova/commit/9e884de68af9b83a92850e823cae152cfe8... The hpet is generally not required by almost any application but it does provided more precision but higher overhead. In general unless you need it you should leave it disabled. The security concern is just that if you provide a high precision time source to a guest it can help execute timing based attacks leveraging some of cpu vulnerability that leverage speculative execution. in practice this is not very practical to exploit so the hpet is generally considered safe.
Thanks.
Thank you very much. We found that Windows guests will use RTC (146818 in QEMU) as a timer. If the timing on the host machine goes backwards, there is a chance the guest could crash. Have you ever observed such behavior and can you share some advices on such situations? Thank you. Best, Jiatong shen On Tue, Oct 29, 2024 at 7:18 AM Sean Mooney <smooney@redhat.com> wrote:
On 27/10/2024 02:07, Jiatong Shen wrote:
Hello Community Experts,
I found that to enable the HPET timer for x86 guests, the operator should set hw_time_hpet on the given image.
Image properties are primarily for end users to express the requirements of images they upload rather then for operators, but they can be set by operators too.
By default, HPET is disabled. My question is what are the pros and cons for using HPET?
Its off by default because there some security concerns with access to the HPET and the minimal
performance overhead it introduces.
support was added in https://github.com/openstack/nova/commit/9e884de68af9b83a92850e823cae152cfe8...
The hpet is generally not required by almost any application but it does provided more precision but higher overhead.
In general unless you need it you should leave it disabled.
The security concern is just that if you provide a high precision time source to a guest it can help execute timing based attacks leveraging some of cpu vulnerability that leverage speculative execution. in practice this is not very practical to exploit so the hpet is generally considered safe.
Thanks.
-- Best Regards, Jiatong Shen
participants (2)
-
Jiatong Shen
-
Sean Mooney