I don't understand why hyperthreading needs to be turned off for maximum security? Wouldn't restricting it to only allow simultaneous threads that are part of the same process be enough?
While that definitely restricts the attack surface, there are still situations where you are running untrusted code within a process (e.g., JITed code whether JavaScript or something else like eBPF). So it would require not only the kernel scheduler to be careful about scheduling threads to cores, but these applications as well (which is not something most people have ever bothered with, setting thread affinity for performance, yes, for security, not really).
