Intel bug incoming? Meltdown and Spectre exploits

[SiDeards73]

ouch, anyone seen Linus Torvalds latest rant at Intel? theres a thread on the AMD reddit linking to it https://www.reddit.com/r/Amd/comments/7s3rnr/linus_torvalds_on_current_meltdownspectre_patches/

Seems Mr Torvalds doesnt suffer fools lightly lol

A quote from one of the posters who summed up what Linus Torvalds beef is

"Sorry, the other people replying are wrong. Linus is pointing out that Intel are planning on simply fixing what is known as "Meltdown", and thus have allocated a bit in a CPU information register to indicate that this CPU isn't vulnerable to "Meltdown" and that's it.

OTOH, for one of the two issues known as "Spectre", Intel are also allocating a bit in this CPU information register to tell the OS that the chip in question can optionally have protection against "Spectre" enabled or disabled. To reiterate, this means that Intel will simply fix "Meltdown", no questions asked, but for "Spectre", Intel is giving the OS a choice between enabling the CPU fix or not. This, to Linus, indicates that there must be a reason that this fix can be disabled, and Linus is speculating that the reason for that is that the CPU side fix will cause a performance penalty that will look bad on benchmarks, and thus this gives Intel a way to disable the "Spectre" fix so their benchmarks look all nice and pretty."

 

[Randomface74]

Is there a short summary available of what the issue is, what the impact/risk is and what we need to do? This thread probably has all the answers but it's 66 pages now and the conversation appears to be very technical at times.

Problem:
- Your stuff is not secure due to CPU design flaws.
- The vulnerabilities are called Meltdown and Spectre (there are 2 types of Spectre).

Fix:
- Install operating system update.
- Install browser update.

Other part of fix I personally wouldn't recommend:
- Install BIOS update (fixes 2nd Spectre variant) (not available for old motherboards).
- The BIOS update affects performance, specifically for heavy storage workloads like database servers.
- Risk of failed update / bricking your motherboard.
- Increased likelihood of BSOD.

 

[DragonQ]

ouch, anyone seen Linus Torvalds latest rant at Intel? theres a thread on the AMD reddit linking to it https://www.reddit.com/r/Amd/comments/7s3rnr/linus_torvalds_on_current_meltdownspectre_patches/

Seems Mr Torvalds doesnt suffer fools lightly lol

A quote from one of the posters who summed up what Linus Torvalds beef is

"Sorry, the other people replying are wrong. Linus is pointing out that Intel are planning on simply fixing what is known as "Meltdown", and thus have allocated a bit in a CPU information register to indicate that this CPU isn't vulnerable to "Meltdown" and that's it.

OTOH, for one of the two issues known as "Spectre", Intel are also allocating a bit in this CPU information register to tell the OS that the chip in question can optionally have protection against "Spectre" enabled or disabled. To reiterate, this means that Intel will simply fix "Meltdown", no questions asked, but for "Spectre", Intel is giving the OS a choice between enabling the CPU fix or not. This, to Linus, indicates that there must be a reason that this fix can be disabled, and Linus is speculating that the reason for that is that the CPU side fix will cause a performance penalty that will look bad on benchmarks, and thus this gives Intel a way to disable the "Spectre" fix so their benchmarks look all nice and pretty."

If the tech press doesn't apply all Meltdown and Spectre fixes to any new CPU benchmarks going forward then I officially give up hope of ever getting objective analysis from them. I imagine Linus is correct though, and I wouldn't put it past Intel at all to, for example, make reviewer samples not have that bit enabled so OSs don't think they need to apply Spectre patches.

 

[Dirk Diggler]

Problem:
- Your stuff is not secure due to CPU design flaws.
- The vulnerabilities are called Meltdown and Spectre (there are 2 types of Spectre).

Fix:
- Install operating system update.
- Install browser update.

Other part of fix I personally wouldn't recommend:
- Install BIOS update (fixes 2nd Spectre variant) (not available for old motherboards).
- The BIOS update affects performance, specifically for heavy storage workloads like database servers.
- Risk of failed update / bricking your motherboard.
- Increased likelihood of BSOD.

Thanks for that.

Fix:
- Install operating system update. Has MS rolled this out as a KB update to Win10?
- Install browser update. Is Chrome currently secure?

What's the realistic risk to an average home user/gamer?

 

[stockhausen]

I have applied any Microsoft update for Windows 7.
I have NOT applied any Microsoft update for Windows 10.
I have the latest version of the browsers that I use (mostly Firefox).
I have NOT updated the BIOS on any of my systems.

Out of curiosity, I would be interested in running a benchmark on my systems before and after making any further changes. Can anyone please recommend some suitable benchmarks?

There seem to be suggestions that SSDs are particularly adversely affected, is this true?

 

[SiDeards73]

If the tech press doesn't apply all Meltdown and Spectre fixes to any new CPU benchmarks going forward then I officially give up hope of ever getting objective analysis from them. I imagine Linus is correct though, and I wouldn't put it past Intel at all to, for example, make reviewer samples not have that bit enabled so OSs don't think they need to apply Spectre patches.

Thats the shady thing, Intel are deliberately trying to get it set to "Disabled" rather than "enabled" by default, as they know a) it will hurt performance benchmarks and b) its an admission that their CPU's are insecure by design, which probably has some legal implications hovering over it.

Either way its proper shady by Intel, still, it wont hurt their marketshare much if any... but atleast people are being made aware of their practices, whats obvious though is how long this as been going on for.

 

[Randomface74]

- Install operating system update. Has MS rolled this out as a KB update to Win10?

Yes. KB4056892 https://support.microsoft.com/en-gb/help/4056892

- Install browser update. Is Chrome currently secure?

Due in Chrome 64 - releases tomorrow.
Workaround in the meantime: http://www.chromium.org/Home/chromium-security/site-isolation

What's the realistic risk to an average home user/gamer?

Mostly the JavaScript attack vector - so updating your browser is key.

 

[x-st]

Question - do Windows updates (Win 7) which caused issues with older AMD CPU's get removed from the Win Updater? I haven't applied any Windows Updates since all this broke out and thanks to the issues with Microsoft and the AMD documentation I'm somewhat worried about applying anything until a bit more time has passed. Can't see any clear indication of what I should be doing.

 

[DarkBahamut]

You don't need to be Linus to work out that invalidating or in some cases disabling the branch predictor and L1-I/D cache is going to murder performance, that much is pretty obvious. That is basically what the Spectre fixes will amount to on Intel and ARM.

The only thing that's important is to what granularity you can control this. Some newer CPUs allow fine control which allows you to only invalidate when you really need to, but some older CPUs do not so the branch predictor and L1 will be off for more time. Any workload that will impacted will be having a bad time. I wouldn't be surprised if there are 30-50% performance drops in certain cases (though hopefully 'real' workloads will be impacted less).

Why do you think Intel are only posting benchmarks from Skylake and newer

 

[JamesZR7]

Hello, long time lurker here!

Wondering if anyone else have had these issues or can shed any light on them.

I have an Asus Z170-A motherboard. Updated bios to 3703 for Spectre fix.

My first issue is my boot time is considerably longer(up to 20 seconds). UserBenchmark tool I've used in the past also shows my SSD(Kingston 240gb) performance plummeting down to 9th percentile. Everything else is unchanged and my gaming and desktop performance seems fine. My other issue is there seems to be some sort of bug with RAM voltage on XMP. I have 16GB of Corsair Vengeance LPX 3000mhz at 1.35v. When I set my XMP profile at 3000, my voltages go through the roof. These voltages show in both bios and windows(HWinfo).

With XMP at 3000mhz, my voltages are as follows:
DRAM 1.440v
VCCIO 1.336v
System Agent Voltage 1.320v
Standby Voltage 1.343v

Voltages with xmp disabled at 2666:
DRAM 1.34v
VCCIO 1.160v
System agent voltage 1.114v
Standy voltage 1.168v

These are also roughly the same as what I had at XMP 3000 before the flash. My girlfriend has also updated her bios, Asus Prime Z270-P. Her XMP at 3000 remains unchanged.

Lowering to 2666 fixes the problem. I can also manually set voltage to 1.360 at 3000 but all my other voltages remain super high compared to what they were before I flashed.

 

[Randomface74]

When I set my XMP profile at 3000, my voltages go through the roof. These voltages show in both bios and windows(HWinfo).

I had this on Asus Z170 Pro Gaming.
I never got it perfect but it was much better if I set the voltages myself rather than using the XMP profile.
If you want I can hop in the bios tonight and tell you the values.

 

[JamesZR7]

I had this on Asus Z170 Pro Gaming.
I never got it perfect but it was much better if I set the voltages myself rather than using the XMP profile.
If you want I can hop in the bios tonight and tell you the values.

That would be fantastic, thanks!

 

[Bonjour]

Glancing back over the last couple of pages... is it recommended not to apply the bios patches? I'm still waiting for Dell to publish the bios update for our hosts.

 

[Dirk Diggler]

Yes. KB4056892 https://support.microsoft.com/en-gb/help/4056892


Due in Chrome 64 - releases tomorrow.
Workaround in the meantime: http://www.chromium.org/Home/chromium-security/site-isolation


Mostly the JavaScript attack vector - so updating your browser is key.

Perfect, Billy. I've already installed the KB patch so I'll get Chrome 64 installed tomorrow - does that auto install over current Chrome browsers?

I won't be updating BIOS as i'd rather wait a few iterations just in case there's bugs.

 

[Randomface74]

I'll get Chrome 64 installed tomorrow - does that auto install over current Chrome browsers?

Yes Chrome auto-updates over itself.
You can prompt it to check for updates by going to Help>About
More about Chrome changes - https://www.chromium.org/Home/chromium-security/ssca

 

[Hesoyam]

UserBenchmark tool I've used in the past also shows my SSD(Kingston 240gb) performance plummeting down to 9th percentile.

Hi, i checked your benchmark, how did you get back the ssd performance?

 

[JamesZR7]

Hi, i checked your benchmark, how did you get back the ssd performance?

I'm not sure what's happening with it, it is very strange. Before I updated bios I would consistently get the same bench with my SSD. Now it will go from 7th percentile to 49th at random and it seems to correlate with my much longer boot time since updating bios. Actual performance in regards to normal desktop use and games installed on my SSD seems to be exactly the same, I just have a longer boot.

 

[Randomface74]

That would be fantastic, thanks!

Specs
i7 6700k @ 4.0
Asus Z170 Pro Gaming
2x8GB Corsair Vengeance LPX 3000

BIOS > Home Screen
XMP = Disabled

BIOS > Ai Tweaker Screen
Ai Overclock Tuner = Auto
FCLK Frequency = Auto
ASUS MultiCore Enhancement = Auto
CPU Core Ratio = Auto
BCLK Frequency : DRAM Frequency Ratio = Auto
DRAM Odd Ratio Mode = Auto
DRAM Frequency = DDR4-3000MHz
TPU = Keep Current Settings
EPU Power Saving Mode = Disabled
CPU SVID Support = Auto

Ai Tweaker\DRAM Timing Control
DRAM CAS# Latency = 15
DRAM RAS# to CAS# Delay = 17
DRAM RAS# ACT Time = 35
[Rest Auto]

Ai Tweaker\Internal CPU Power Management
SpeedStep = Auto
Turbo Mode = Enabled
[Rest Auto]

BIOS > Ai Tweaker Screen (continued)
CPU Core/Cache Current Limit Max = Auto
Min. CPU Cache Ratio = Auto
Max CPU Cache Ratio = Auto
Internal PLL Voltage = Auto
CPU Core/Cache Voltage = Manual Mode
CPU Core Voltage Override = 1.230
DRAM Voltage = 1.360
CPU VCCIO Voltage = 1.17500
CPU System Agent Voltage = 1.22000
PCH Core Voltage = Auto
CPU Standby Voltage = Auto

This has been stable for about a year.
Temps are fine, only cooled with a Cooler Master Hyper 212X.

 

[thenewoc]

Important to note that you will only get the Microsoft update(s) including future ones until told by MS otherwise, if you either have supported AV that has set a registry key or if you don't use AV you need to ensure the registry key is set.

Q3: How long will Microsoft require setting a registry key to receive the January 3, 2018, security updates?

A3: Microsoft added this requirement to ensure customers can successfully install the January 2018 security updates. Microsoft will continue to enforce this requirement until there is high confidence that the majority of customers will not encounter device crashes after installing the security updates.

https://support.microsoft.com/en-sg...ndows-security-updates-and-antivirus-software

 

[TrixP10]

Here we go AGAIN ....

https://www.theverge.com/2018/1/22/16919426/intel-advises-pause-deployment-of-spectre-patch

stop

https://newsroom.intel.com/news/roo...-updated-guidance-for-customers-and-partners/