Intel bug incoming? Meltdown and Spectre exploits

[smilingcrow]

My sentiments entirely. If there are fixes / updates to circumvent Spectre I will surely apply them. At the moment I am very relived that I do not have the hasle of Meltdown or the system degradation that the Meltdown fixes will incur.
Intel have and still are knowingly screwing their customers.

I was about to build a desktop for DAW usage and Intel dominates in that class by a very long margin in some areas but right now that is on hold.
From what I've seen Meltdown isn't the issue for me but the uncertainty of Spectre and in general.
I'll wait for Zen+ and the APUs as by then hopefully the picture will be clearer.
I've ignored the incoming Ryzen APUs due to poor DAW performance of the original Zen so will have to take a look and see what Core and Process they are using.
Are they Zen or Zen+?

 

[smilingcrow]

Intel no longer make discrete motherboards but they do produce boards for their own NUCs although not sure if that is done in-house or not?
So do they even have the facilities to issue BIOS updates for Intel branded boards from 4+ years ago?
I presume they have the source code etc but a timely update might not be possible.

 

[humbug]

Motherboard manufacturers and/or Intel will just say the hardware is out of warranty/support period.

Well mine isn't and i have already logged a support ticket with Gigabyte, now that you say that i'm also going to log one with Intel, i would suggest everyone no matter how old your CPU and motherboard you enquire the security of your system and the possibility of a fix for it with both Intel and your Motherboard vendor.

Intel may like to use a technicality like that to stick their fingers up at you and be that as it may 'make them do it'

 

[Rroff]

I'll just repeat again its worth making sure you are on Firefox 57.0.4 update (and/or checking your browser if using something different for an update to protect against these vulnerabilities) as this will be the biggest weak point to them for most people.

 

[DragonQ]

The thing is they will start to see big headlines in the coming months, lawsuits, some big name company jumping ship from Intel to AMD, stock dropping. So headlines of how "good guy Intel provides support for older platforms and saves users money" are the kinds of headlines they might be desperate for in the coming months.

I'm not sure they are smart enough to do that, as everything about this has been about saying our bad, but we're putting everything we have into fixing everything we can, they kinda went, yeah but everyone else is as bad as us only for every single site out there to call Intel idiots and point out that AMD, ARM and probably Apple are no where near as badly effected as they are.

Won't happen. Not only would Intel have to provide the microcode updates, they would have to get every motherboard manufacturer to create new BIOS versions for dozens of models, most of which are end of life. Technically just the microcode updates would be nice since advanced users can install them manually but 99.99% of people will not do this. Hell, even if BIOS updates are miraculously rolled out, 99.9% of people won't install those either.

 

[Spyhop]

Won't happen. Not only would Intel have to provide the microcode updates, they would have to get every motherboard manufacturer to create new BIOS versions for dozens of models, most of which are end of life.

Motherboard vendors have enough difficulty delivering quality BIOSes for their contemporary products. If they're made to dredge up dusty codebases and toolchains to come up with BIOS updates for old products, odds are they'll make a meal of it and do more harm than good (i.e. brick boards, cause major instability, ...)

 

[Cromulent]

Heh, just remembered I have to update my gaming laptop as well which I hardly use. So still waiting for Asus and MSI to release updated BIOS fixes. Hopefully the laptop will get a patch as it is only a year and a half old or so.

 

[stockhausen]

What we know so far:

• CPUs sold by Intel over the past ten or so years have a significant design fault which has made them potentially insecure.
• CPUs sold by AMD and ARM have also had a design fault but it is not so severe.
• Changes have to be made in the Operating System (Windows, Linux, etc.) and in the Basic Input/Output System code (BIOS) used by the Motherboard in order to deal with these design faults .
• The result of these changes is an increase in security at the expense of reduced performance, potentially by as much as 30% but probably typically nearer to 5%.
• The increasingly popular Solid State Disks (SSDs) seem to be adversely affected by the required changes.

What we can reasonably assume:

• Intel, AMD and ARM have spent the past six months working on a short-term fix for existing CPUs and a fundamental redesign to prepare the next generation of CPUs that will not suffer from this problem.
• Microsoft is in the process of rolling out OS updates, probably only for supported versions of Windows, e.g. all flavours of 7, 8 & 10.
• Upcoming versions of Linux and other Operating Systems software will also be suitably patched.
• Most Motherboard manufacturers will in due course make available BIOS updates for some (but probably only more recent) Motherboards.
• AMD are feverishly ramping up their manufacturing capability in the hope of capturing some of Intel's market share.

What I predict:

• Intel, AMD and ARM will in due course release new CPUs with changes to avoid this particular bug.
• Intel, AMD and ARM may in very few cases compensate some major customers for the reduction in performance.
• Based on the principle of “Supply and Demand”, CPU prices will be higher in the future.
• The CEO of Intel will resign to take up some lucrative new post elsewhere and will receive a substantial severance package.
  
• Various Jackals in the USA (or Attorneys as they call themselves) will file Class Actions in the hope of getting still richer.
• There will still be 24 hours in a day and 365¼ days in the year.

 

[AmateurExpert]

So why pretend to try to fix something with a dodgy bandaid that is being proven and untested that breaks even more stuff.

Ha - though you could be a little more charitable - at least on Linux the kernel guys have been working for several weeks on developing and testing patches, and there's no functional breakage (just perf hits) - I expect it's similar on the Microsoft side, but there's the added complication of some people not having already had the Fall Creator's Update (which already has its own problems).

It's the usual thing of having to pick the lesser of two evils, nothing new.

that article is stupidly misleading

Glad someone else has spotted it
Unfortunately it takes a while to activate an account on their site to post a comment or correction.

Spectre seems to be more of an unknown in terms of how it will unfold

Yeah - they did say it was so named as it'll keep haunting us . Meltdown is a big explosion that's almost completely in Intel-land while Spectre is a smouldering fire almost everywhere.

Perfect time to go AMD then?

I'd wait until the popcorn's finished first!

Motherboard manufacturers and/or Intel will just say the hardware is out of warranty/support period.

Technology is a double-edged sword; we love the ever-increasing utility and performance that the incessant evolution brings, but the larger players in the industry do thrive on planned obsolescence.

Motherboard vendors have enough difficulty delivering quality BIOSes for their contemporary products. If they're made to dredge up dusty codebases and toolchains to come up with BIOS updates for old products, odds are they'll make a meal of it and do more harm than good (i.e. brick boards, cause major instability, ...)

Sadly while all that should be needed in most cases is to take their last stable BIOS release code, package the CPU manufacturer-supplied microcode blob with it and re-release with no further changes - I expect there's more effort involved just in dealing with administrative overheads - and they'll still find a way to make a mess of it.

Upcoming versions of Linux and other Operating Systems software will also be suitably patched.

Existing LTS versions will also be patched too. The BSD people are working on their own equivalent updates (I'd link to an article, but it's got too much swearing in it!) despite the OpenBSD kernel devs being ignored by Intel on Meltdown (they had to find out just like the rest of us).

• Various Jackals in the USA (or Attorneys as they call themselves) will file Class Actions in the hope of getting still richer.

They already have. It's just a question of how many more.

 

[Randomface74]

This seems worth doing
http://www.chromium.org/Home/chromium-security/site-isolation

 

[smilingcrow]

This seems worth doing
http://www.chromium.org/Home/chromium-security/site-isolation

I activated it yesterday and so far no issues.
It does increase RAM usage by another 15 or 20% which has Chrome using about 3GB on my laptop which has a fixed 8GB.

 

[jigger]

What we know so far:

• CPUs sold by Intel over the past ten or so years have a significant design fault which has made them potentially insecure.
• CPUs sold by AMD and ARM have also had a design fault but it is not so severe.
• Changes have to be made in the Operating System (Windows, Linux, etc.) and in the Basic Input/Output System code (BIOS) used by the Motherboard in order to deal with these design faults .
• The result of these changes is an increase in security at the expense of reduced performance, potentially by as much as 30% but probably typically nearer to 5%.
• The increasingly popular Solid State Disks (SSDs) seem to be adversely affected by the required changes.

What we can reasonably assume:

• Intel, AMD and ARM have spent the past six months working on a short-term fix for existing CPUs and a fundamental redesign to prepare the next generation of CPUs that will not suffer from this problem.
• Microsoft is in the process of rolling out OS updates, probably only for supported versions of Windows, e.g. all flavours of 7, 8 & 10.
• Upcoming versions of Linux and other Operating Systems software will also be suitably patched.
• Most Motherboard manufacturers will in due course make available BIOS updates for some (but probably only more recent) Motherboards.
• AMD are feverishly ramping up their manufacturing capability in the hope of capturing some of Intel's market share.

What I predict:

• Intel, AMD and ARM will in due course release new CPUs with changes to avoid this particular bug.
• Intel, AMD and ARM may in very few cases compensate some major customers for the reduction in performance.
• Based on the principle of “Supply and Demand”, CPU prices will be higher in the future.
• The CEO of Intel will resign to take up some lucrative new post elsewhere and will receive a substantial severance package.
  
• Various Jackals in the USA (or Attorneys as they call themselves) will file Class Actions in the hope of getting still richer.
• There will still be 24 hours in a day and 365¼ days in the year.

Pretty much, although I'd add Microsoft's updates will b0rk a lot of middleware and the final fix will be a long way off and will never solve every problem 100%.

 

[x-st]

Based on the principle of “Supply and Demand”, CPU prices will be higher in the future.

I'm too poorly versed in this to have a clue what this really means - do you mean that everyone will want a new updated CPU with the problems eliminated leading to a paucity of stock?

 

[stockhausen]

I'm too poorly versed in this to have a clue what this really means - do you mean that everyone will want a new updated CPU with the problems eliminated leading to a paucity of stock?

Major multinational corporations (Google, Amazon, Facebook, etc.) will continue to need processing power, they also need secure hardware; they are pragmatic, Intel screwed up but they have the production capacity.

I have no doubt that the next generation of Intel CPUs will sell like hot silicon. I expect that AMD will also do quite well.

 

[TrixP10]

What we know so far:

• CPUs sold by Intel over the past ten or so years have a significant design fault which has made them potentially insecure.
• CPUs sold by AMD and ARM have also had a design fault but it is not so severe.
• Changes have to be made in the Operating System (Windows, Linux, etc.) and in the Basic Input/Output System code (BIOS) used by the Motherboard in order to deal with these design faults .
• The result of these changes is an increase in security at the expense of reduced performance, potentially by as much as 30% but probably typically nearer to 5%.
• The increasingly popular Solid State Disks (SSDs) seem to be adversely affected by the required changes.

What we can reasonably assume:

• Intel, AMD and ARM have spent the past six months working on a short-term fix for existing CPUs and a fundamental redesign to prepare the next generation of CPUs that will not suffer from this problem.
• Microsoft is in the process of rolling out OS updates, probably only for supported versions of Windows, e.g. all flavours of 7, 8 & 10.
• Upcoming versions of Linux and other Operating Systems software will also be suitably patched.
• Most Motherboard manufacturers will in due course make available BIOS updates for some (but probably only more recent) Motherboards.
• AMD are feverishly ramping up their manufacturing capability in the hope of capturing some of Intel's market share.

What I predict:

• Intel, AMD and ARM will in due course release new CPUs with changes to avoid this particular bug.
• Intel, AMD and ARM may in very few cases compensate some major customers for the reduction in performance.
• Based on the principle of “Supply and Demand”, CPU prices will be higher in the future.
• The CEO of Intel will resign to take up some lucrative new post elsewhere and will receive a substantial severance package.
  
• Various Jackals in the USA (or Attorneys as they call themselves) will file Class Actions in the hope of getting still richer.
• There will still be 24 hours in a day and 365¼ days in the year.

Nope

What we know so far: - Concerning INTEL CPU's

Fixed it for you

 

[stockhausen]

Nope

What we know so far: - Concerning INTEL CPU's

Fixed it for you

Feel free to add to my comments about what we know so far in relation to CPUs from sources other than Intel, I would certainly be interested.

The point I was trying to make is that in a year's time, none of this will matter - in the meantime, buy Intel shares

 

[TrixP10]

I'm desperately hanging on to my AMD shares, oh, the worry

 

[AmateurExpert]

I activated it yesterday and so far no issues.
It does increase RAM usage by another 15 or 20% which has Chrome using about 3GB on my laptop which has a fixed 8GB.

I have saw one site where a 3rd party text entry box (I think it was a Disqus box) failed to accept input. Even then, it's easy to hop over to Firefox 57.0.4 for the odd page that doesn't work for whatever reason.

I'm too poorly versed in this to have a clue what this really means - do you mean that everyone will want a new updated CPU with the problems eliminated leading to a paucity of stock?

If the patches are deemed effective enough I doubt there'll be wholesale CPU replacement. There will be some cloud providers and VM hosts that need immediate and ongoing (as scaling is worse) extra CPU resources to mitigate the performance hit of the patches, but some may be fortunate to find suitable application optimisations quickly enough.

made them potentially insecure

It's less "potentially" and more "demonstrably". Back in July when Anders Fogh published his blog the incorrect speculative execution was just a potential vulnerability, but The Register already reported a working proof of concept: "A PhD student at the systems and network security group at Vrije Universiteit Amsterdam has developed a proof-of-concept program that exploits the Chipzilla flaw to read kernel memory from user mode". There is also this video of a separate proof of concept also exploiting Meltdown.

Feel free to add to my comments about what we know so far in relation to CPUs from sources other than Intel, I would certainly be interested

There is already a lot of info compiled in this article by The Register, to which I'd add this listing of affected CPUs published by Intel.

 

[drunkenmaster]

Feel free to add to my comments about what we know so far in relation to CPUs from sources other than Intel, I would certainly be interested.

The point I was trying to make is that in a year's time, none of this will matter - in the meantime, buy Intel shares

AMD don't need a fundamental redesign in architecture. They are immune to Meltdown precisely because they do things the correct way in that it costs more performance to run a permission check before rather than after the crucial point that lets Intel chips be vulnerable. Same goes for variant 2 of Spectre, AMDs fundamental design makes them effectively immune to it. Intel needs a fairly large change to fix both these issues and is very vulnerable to both due to architecture. Variant 1 is a little unclear, AMD only seem to be effected in one situation with an incredibly easy fix.

Also it's highly unlikely Intel will fix these in their next generation chips, it takes 18 months to tape out a cpu once design is finalised, meaning a chip due to come out a year from today required finalised design 6 months ago and it will likely take some time to fix. I think the concept for the fixes will be quite simple, the problem is everything is set to work in a specific order in a specific way so even a small change that they know how to make for the fix will likely cause lots of other smaller things needing to be worked out.

That will be the really big pain for Intel, AMD will presumably use the '12nm' process for EPYC as well and will be churning them out as fast as possible, making them slightly smaller, potentially slightly faster, slightly better power/performance ratio and that might be from say mid next year for Epyc. Up margins a little as demand is likely very high. Then you have Zen 2 at 7nm potentially early in 2019, before Intel has a chance to launch a fixed architecture AMD will seemingly have 48 cores per EPYC chip, higher clock speeds, higher single thread performance, likely higher memory support and higher infinity fabric speed all leading to improved performance and much improved core density in a rack. It wouldn't be entirely surprising if AMD are planning to move towards 4 socket systems with Zen 2, its a lot of work to validate so makes sense AMD skipped it this gen but as demand increases and maybe vastly more than they thought before this, then 4 socket could be extremely lucrative and a potentially easy jump into high market share due to the security issues. IE if and when they become available companies might be desperate for them. Without the security issue AMD would be launching 4 socket systems into a market 100% dominated by Intel so less potential for the payback. Now they could potentially launch 4 socket systems up the margins considerably and still have companies desperate for them.

For AMD if Intel doesn't have this fixed by Zen 2, it will likely be a genuinely massive massive year for AMD in 2019.

 

[Rroff]

AMD don't need a fundamental redesign in architecture. They are immune to Meltdown precisely because they do things the correct way in that it costs more performance to run a permission check before rather than after the crucial point that lets Intel chips be vulnerable. Same goes for variant 2 of Spectre, AMDs fundamental design makes them effectively immune to it. Intel needs a fairly large change to fix both these issues and is very vulnerable to both due to architecture. Variant 1 is a little unclear, AMD only seem to be effected in one situation with an incredibly easy fix.

Also it's highly unlikely Intel will fix these in their next generation chips, it takes 18 months to tape out a cpu once design is finalised, meaning a chip due to come out a year from today required finalised design 6 months ago and it will likely take some time to fix. I think the concept for the fixes will be quite simple, the problem is everything is set to work in a specific order in a specific way so even a small change that they know how to make for the fix will likely cause lots of other smaller things needing to be worked out.

That will be the really big pain for Intel, AMD will presumably use the '12nm' process for EPYC as well and will be churning them out as fast as possible, making them slightly smaller, potentially slightly faster, slightly better power/performance ratio and that might be from say mid next year for Epyc. Up margins a little as demand is likely very high. Then you have Zen 2 at 7nm potentially early in 2019, before Intel has a chance to launch a fixed architecture AMD will seemingly have 48 cores per EPYC chip, higher clock speeds, higher single thread performance, likely higher memory support and higher infinity fabric speed all leading to improved performance and much improved core density in a rack. It wouldn't be entirely surprising if AMD are planning to move towards 4 socket systems with Zen 2, its a lot of work to validate so makes sense AMD skipped it this gen but as demand increases and maybe vastly more than they thought before this, then 4 socket could be extremely lucrative and a potentially easy jump into high market share due to the security issues. IE if and when they become available companies might be desperate for them. Without the security issue AMD would be launching 4 socket systems into a market 100% dominated by Intel so less potential for the payback. Now they could potentially launch 4 socket systems up the margins considerably and still have companies desperate for them.

For AMD if Intel doesn't have this fixed by Zen 2, it will likely be a genuinely massive massive year for AMD in 2019.

Could be a pretty big setback for Intel - despite outward appearances they've been desperately trying to pull 10nm forward - this could really put a spanner in the works.