Info Meltdown and Spectre Vulnerabilities Information

Page 9 - Seeking answers? Join the Tom's Hardware community: where nearly two million members share solutions and discuss the latest tech.
Toggle sidebar Toggle sidebar
Status
Not open for further replies.
I've read that HP is at least working on it. If anyone comes across any others post them so they can be added as well.

 


I cri too. P8Z77V-LK and a Dell Socket 1366 tower. I am so SOL.

<tin foil hat>It's all a plot to get us to buy new PCs, motherboards and CPUs.</tin foil hat>
 


Funny you say that, because that is the first thing that I thought when I heard!
Well, that's one plan to get everyone to upgrade their PC/processors!
3,2,1 GO... stage 1 complete.
Click to expand...
http://www.tomshardware.com/forum/id-3529443/intel-coffee-lake-8th-generation-megathread-faq-resources/page-9.html#20552167
 


Well, guess no more Windows updates for my rig then. Only need to get a year or two more out of it.

*shrug*
 
Please note that these are benchmarks from Intel!
DTQY1U3WkAABVFw.jpg:large


https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Blog-Benchmark-Table.pdf
 


I don't use my gaming PC to access my bank accounts, for that I use my smart phone so I hope they update those soon. My laptop is company property and the desktop computer I'm using now(actually I'm now in my office)
 


 
Just a curiosity.
The side chanel mechanism used by Meltdown and Spectre to retrieve information was already considered a security issue in 1995. Unfortunately nobody has cared in more than 20 years.

The Intel 80×86 processor architecture: pitfalls for secure systems
O. Sibert; P. A. Porras; R. Lindell
Proceedings 1995 IEEE Symposium on Security and Privacy

http://ieeexplore.ieee.org/document/398934/

3.10 Cache and TLB Timing Channels

As mentioned in the preceding scenario, caches present potential for covert timing channels. Even without MSRs for direct measurements of cache activity, cache hits and misses can be detected strictly from instruction timing, as described in [WraySl]. To eliminate these flows, caches must be managed. This can reduce their efficiency considerably, depending on cache architecture, as it introduces otherwise unnecesary cache flush and invalidation activity.
Click to expand...

 


Yuval Yarom discovered Spectre and I found a patent where he had been working in that "area" of research since 1995 as well. I found his first patent from 1995.
BACKGROUND OF THE INVENTION
Many operating systems (OS) today do not include a built in mechanism, called user exits, to divert program control from the operating system or related services to user supplied functions. In many programming instances it is desirable to divert or intercept system calls, issued from a user application, and execute user supplied code instead. The code supplied by the user might bypass the entire original system function call or it might perform a function in conjunction with the original system function call. One application of such a system might include a security system whereby operating system calls issued by a user application are not permitted to execute unless the calling process has the requisite authority or privileges.
Click to expand...
https://www.google.com/patents/US5899987
You can see he was already playing in that "area" in 1995.

Edit: I find all of this very interesting. I wonder how long people actually knew how to use these exploits.
 


Missing Z170, Z270 and 110 MB's still.

Must be some internal politics going on there as they seemed to make sure the Z370 and X99/X299 boards were done and the B250 boards.
 
 


I will add them.
 
Motherboard Vendors Release BIOS Updates For Spectre
by Leon Chan January 11, 2018 at 10:55 AM
http://www.tomshardware.com/news/motherboard-vendors-release-bios-updates-spectre,36316.html
BIOS updates to address the Spectre vulnerability have begun rolling out from the major motherboard OEMs.

Patches and updates for Meltdown/Spectre vulnerabilities continue to trickle in. Due to there actually being multiple vulnerabilities, each of which requires different fixes, and patches not always saying which vulnerability they address, it can be hard to know if you’re fully protected.

When the issue first broke, Intel said that CPU microcode (BIOS) updates would be required in addition to software patches. The company later said it had released the updates, but it wasn’t clear in what form users would receive them nor what vulnerability they were for. AMD, being invulnerable to Meltdown, said that it was still vulnerable to one of the vulnerabilities in Spectre, but it had not issued any updates.

To clear the air on all this before we get any further, we defer to the table below from Microsoft.
Click to expand...
$

Only Variant 2, one of the two vulnerabilities that make up Spectre, requires a CPU microcode update. Variant 2 is also the vulnerability that AMD has said it is most likely not vulnerable to, thus the company has not issued any updates.

The only required BIOS updates are to address Variant 2 for Intel CPUs. If your Intel machine is from a system OEM, look for the updates to come from that manufacturer, most of which are linked here. DIY builders are, as usual, left waiting for motherboard OEMs to release updates

To that end, the first few are beginning to trickle in. Asus was the first to address the issue. MSI has also just released their first updates. We searched for updates from Gigabyte, ASRock, and EVGA, but didn’t find anything yet. We’ve reached out to them on the status of their updates and will update this post with their response.
Click to expand...
 
https://www.amd.com/en/corporate/speculative-execution
An Update on AMD Processor Security 1/11/2018
The public disclosure on January 3rd that multiple research teams had discovered security issues related to how modern microprocessors handle speculative execution has brought to the forefront the constant vigilance needed to protect and secure data. These threats seek to circumvent the microprocessor architecture controls that preserve secure data.

At AMD, security is our top priority and we are continually working to ensure the safety of our users as new risks arise. As a part of that vigilance, I wanted to update the community on our actions to address the situation.

Google Project Zero (GPZ) Variant 1 (Bounds Check Bypass or Spectre) is applicable to AMD processors.
We believe this threat can be contained with an operating system (OS) patch and we have been working with OS providers to address this issue.
Microsoft is distributing patches for the majority of AMD systems now. We are working closely with them to correct an issue that paused the distribution of patches for some older AMD processors (AMD Opteron, Athlon and AMD Turion X2 Ultra families) earlier this week. We expect this issue to be corrected shortly and Microsoft should resume updates for these older processors by next week. For the latest details, please see Microsoft’s website.
Linux vendors are also rolling out patches across AMD products now.
GPZ Variant 2 (Branch Target Injection or Spectre) is applicable to AMD processors.
While we believe that AMD’s processor architectures make it difficult to exploit Variant 2, we continue to work closely with the industry on this threat. We have defined additional steps through a combination of processor microcode updates and OS patches that we will make available to AMD customers and partners to further mitigate the threat.
AMD will make optional microcode updates available to our customers and partners for Ryzen and EPYC processors starting this week. We expect to make updates available for our previous generation products over the coming weeks. These software updates will be provided by system providers and OS vendors; please check with your supplier for the latest information on the available option for your configuration and requirements.
Linux vendors have begun to roll out OS patches for AMD systems, and we are working closely with Microsoft on the timing for distributing their patches. We are also engaging closely with the Linux community on development of “return trampoline” (Retpoline) software mitigations.
GPZ Variant 3 (Rogue Data Cache Load or Meltdown) is not applicable to AMD processors.
We believe AMD processors are not susceptible due to our use of privilege level protections within paging architecture and no mitigation is required.
There have also been questions about GPU architectures. AMD Radeon GPU architectures do not use speculative execution and thus are not susceptible to these threats.

We will provide further updates as appropriate on this site as AMD and the industry continue our collaborative work to develop mitigation solutions to protect users from these latest security threats.

Mark Papermaster,
Senior Vice President and Chief Technology Officer
Click to expand...

AMD is releasing mitigation against Spectre variant 2.
Microsoft will start rolling out updates for windows 10 for older AMD systems starting next week.
 
Benchmarking Linux With The Retpoline Patches For Spectre
Written by Michael Larabel in Software on 8 January 2018.
For our initial benchmarks of the yet-to-be-merged Retpoline patches, I tested the v5 patch-set on several systems this week in the below configurations:

noretpoline - The Linux 4.14-based with Retpoline patches maintained by David Woodhouse as of their v5 state as of Saturday morning, but booting the system with "noretpoline". These results basically show the performance without Retpoline.

Retpoline - The Linux 4.14-based Retpoline-patched kernel booted with Retpoline present. This kernel though was built with Ubuntu 17.10's stock GCC 7.2 compiler, which doesn't contain the Spectre patches / "mindirect-branch" support. So this build is only of limited effectiveness but is what users will find without an upgraded compiler with the yet-to-land Spectre code changes.

Retpoline + GCC - The same Linux 4.14 kernel branch with Retpoline patches but when built using David Woodhouse's GCC 7.2 branch that does contain the patches as of this weekend. This run shows the impact with full protection for Spectre / speculative execution.

I tested these three kernel configurations on a range of AMD and Intel systems with distinctly different hardware from low-end to ultra high-end including:

- Intel Core i3 7100
- Intel Core i7 8700K
- Intel Core i7 7980XE
- 2 x Intel Xeon Gold 6138
- AMD Ryzen 7 1800X
- AMD EPYC 7601
Click to expand...
Here are 2 benchmarks that show the biggest changes in performance between Intel vs. AMD. The benchmarks are too numerous to show in all of them, but you can browse through them on the website. They are constantly optimising the linux kernel, and have 4.15 coming next week, and 4.16 not long after that. This is 4.14.
embed.php

embed.php
Edit: https://www.phoronix.com/scan.php?page=article&item=linux-retpoline-benchmarks&num=1
 
Status
Not open for further replies.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom