For those that have not heard, nearly all Intel CPU chips for the last 10 years have a serious security flaw that cannot be fixed by a firmware update and is having to have an operating system workaround to protect against the flaw being exploited. Linux and Windows patches for the Intel kernel security flaw are said to slow down CPU performance by between 5% to 30%. A Linux patch has already been released and tested on some systems and shows a 5% slow down for some tasks. Ironically the patch is applied irrespective of chip manufacturer meaning the current patch even slows down AMD machines without some setting changes. Anyone know how the patches will affect Seti task speeds? Anyone tested with the Linux patch? The Windows patch may not be out till 16 January so the full details of the flaw are embargoed till then but it does look to be a real bad one.

Looks like pretty much no gaming hit, so probably the same for us.

Phoronix has an initial bench set, with I/O getting hit pretty hard, might be some rough times ahead for Intel. The bug doesn't affect AMD but the initial patch hit all 64bit systems regardless of maker, I suspect AMD will submit a patch in the next day or two to fix that, if they've not already.

In any case if one wishes to continue on anyhow (on Linux), the nopti kernel parameter will revert the patch at boot. Windows details won't be out for a couple more weeks.

---

Hehe, I know at least one here who soon will start bashing Intel (and of course continue with his Windows bashing.)
He just can't refrain himself.....

Waiting....
Waiting...
Waiting...

There is only one King of Intel bashing.. ;-)

---

Humans may rule the world...but bacteria run it...

AMD patch is now in:

https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?h=x86/pti&id=694d99d40972f12e59a3696effee8a376b79d7c8

---

Regardless of manufacturer that's bad for computing as a whole. With the world's reliance on computers, it's bad enough having to contend with software flaws but hardware flaws...

AMD patch is now in:

https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?h=x86/pti&id=694d99d40972f12e59a3696effee8a376b79d7c8

Don't you mean the AMD un-patch. AMD's don't have the flaw or need the patch.

Correct. The linux kernel for AMD chips needs to have the security flaw patch removed as it is not needed. Unfortunate as they were about to lockdown the latest kernels for no more features added.

---

Seti@Home classic workunits:20,676 CPU time:74,226 hours

Things are even worse than thought from a security perspective: https://twitter.com/nicoleperlroth/status/948684376249962496 for a summary, NYT article linked there too. So Meltdown affects all Intel CPUs since '95 bar pre-2013 Itanium and Atom and the software fix will result in a hefty performance hit, mainly for I/O operations, and at least in case of Windows (since MS pushed it out already, early) said fix may not be installed for those running certain security software, while Spectre is harder to exploit but affects everything, is a fundamental flaw in CPU design and will be with us for a decade to come, the only real fix being to redesign CPU architecture and replace all CPUs in existence basically.

Anyone else have the feeling that we're waking up to a new world again, a heck of a lot more dangerous one?

---

So far the details seem to be that some parts of protected kernel memory can be read.
Some sites are reporting that the issue is also present in ARM processors.

MS has issued the patch in November to users in the "fast ring" of updates and Apple pushed out an initial patch in early December.

---

SETI@home classic workunits: 93,865 CPU time: 863,447 hours
Join the BP6/VP6 User Group today!

It will be interesting to see how fast MS pushes out a software update. Wonder if it will go into the next Patch Tuesday? Or will they get even more proactive and release an imminent patch tomorrow? Same question for the Linux distributions. How much hysteria will this flaw produce? Not a slow tech news day today at all. See that Intel stock got hit with a 3% drop after the announcement and it looks like it is continuing after hours. Would have been nice to have held an Intel short position today before announcement. See that the Intel CEO sold off stock after he was informed of the flaw back in November. Wonder if an insider trading investigation will happen.

CES attendees will something to gossip about next week.

---

Seti@Home classic workunits:20,676 CPU time:74,226 hours

AMD patch is now in:

https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?h=x86/pti&id=694d99d40972f12e59a3696effee8a376b79d7c8

Don't you mean the AMD un-patch. AMD's don't have the flaw or need the patch.

Three are 2 different security issues, and AMD (and other manufacturers) are affected by it as well. And even for those that are affected, the impact is very, very variable. Given the time frame to develop the patches, I suspect it will be some time before the true impact is known as they (the programmers) will have more time to work on the patch & work on mitigating it's effects once they are better understood.

Researchers reveal Meltdown and Spectre CPU exploits

---

Grant
Darwin NT

theregister.co.uk says that all chips which allow out of order processing are vulnerable. Only immune chips are Itanium and Atom before 2013, because they don't allow out of order processing.
Tullio

---

Wonder if it will go into the next Patch Tuesday?

The advance 'Update Summary' for this month (which I received by email from Microsoft at 03:12 UTC this morning - about 8 hours ago) suggests that there WON'T be anything. The only critical update seems to be browser-related, not kernel.

Meltdown and Spectre have their own website which can be found here:-

https://spectreattack.com/

Good news - Meltdown, which affects almost all Intel chips, should be mitigated by patches and firmware updates with a potential slowdown dependent on activity, yet to be fully ascertained, but which may be reduced over time with more refined patches.

Bad news - Spectre, which affects AMD, Arm and others as well as Intel (basically almost every computer, tablet and smartphone in the world), while more difficult to exploit is also proving more difficult to fully patch against so far. Solution from US Government - replace your CPU!

https://www.kb.cert.org/vuls/id/584653

With what?

Nearly all CPUs in production and development have the Spectre flaw. By implication, if you want to be secure switch off all your computers, tablets and smartphones until about 2021 when CPUs without the flaw may become available in bulk. Oh and don't buy any new ones in the meantime.

Although the risk may be very low, we are going to have to live with it for at least a few years. Hopefully patches will be developed which fully mitigate Spectre. Some people are going to have to buy machines knowing they are flawed but many will probably wait.

We are going to see a race. Every CPU manufacturer will have to work out how to dump existing pipelines, redesigning, testing and manufacturing completely new CPU designs. They may not all survive the inevitable lawsuits and costs.

From Tom Lendacky <>
Subject [PATCH] x86/cpu, x86/pti: Do not enable PTI on AMD processors
Date Tue, 26 Dec 2017 23:43:54 -0600


AMD processors are not subject to the types of attacks that the kernel
page table isolation feature protects against. The AMD microarchitecture
does not allow memory references, including speculative references, that
access higher privileged data when running in a lesser privileged mode
when that access would result in a page fault.

Disable page table isolation by default on AMD processors by not setting
the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI
is set.

Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
---
arch/x86/kernel/cpu/common.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index c47de4e..7d9e3b0 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -923,8 +923,8 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)

setup_force_cpu_cap(X86_FEATURE_ALWAYS);

- /* Assume for now that ALL x86 CPUs are insecure */
- setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
+ if (c->x86_vendor != X86_VENDOR_AMD)
+ setup_force_cpu_bug(X86_BUG_CPU_INSECURE);

fpu__init_system(c);

---

With each crime and every kindness we birth our future.

What the big boys said

You got to love their PR guys :-)

"Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers."

I wonder if this will lead to an increased popularity for alternative architectures, assuming they are unaffected by these flaws.

---