Intel security flaw

Message boards : Number crunching : Intel security flaw
Message board moderation

To post messages, you must log in.

1 · 2 · 3 · 4 . . . 6 · Next

AuthorMessage
Keldon Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor

Send message
Joined: 28 Nov 17
Posts: 8
Credit: 124,341,599
RAC: 214
Channel Islands
Message 1910313 - Posted: 3 Jan 2018, 13:31:45 UTC

For those that have not heard, nearly all Intel CPU chips for the last 10 years have a serious security flaw that cannot be fixed by a firmware update and is having to have an operating system workaround to protect against the flaw being exploited. Linux and Windows patches for the Intel kernel security flaw are said to slow down CPU performance by between 5% to 30%. A Linux patch has already been released and tested on some systems and shows a 5% slow down for some tasks. Ironically the patch is applied irrespective of chip manufacturer meaning the current patch even slows down AMD machines without some setting changes. Anyone know how the patches will affect Seti task speeds? Anyone tested with the Linux patch? The Windows patch may not be out till 16 January so the full details of the flaw are embargoed till then but it does look to be a real bad one.
ID: 1910313 · Report as offensive
Profile Dr.Diesel Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor

Send message
Joined: 14 May 99
Posts: 41
Credit: 123,695,755
RAC: 139
United States
Message 1910318 - Posted: 3 Jan 2018, 14:27:52 UTC - in response to Message 1910313.  

Looks like pretty much no gaming hit, so probably the same for us.

Phoronix has an initial bench set, with I/O getting hit pretty hard, might be some rough times ahead for Intel. The bug doesn't affect AMD but the initial patch hit all 64bit systems regardless of maker, I suspect AMD will submit a patch in the next day or two to fix that, if they've not already.

In any case if one wishes to continue on anyhow (on Linux), the nopti kernel parameter will revert the patch at boot. Windows details won't be out for a couple more weeks.
ID: 1910318 · Report as offensive
Ghia
Avatar

Send message
Joined: 7 Feb 17
Posts: 238
Credit: 28,911,438
RAC: 50
Norway
Message 1910352 - Posted: 3 Jan 2018, 17:43:27 UTC - in response to Message 1910341.  

Hehe, I know at least one here who soon will start bashing Intel (and of course continue with his Windows bashing.)
He just can't refrain himself.....

Waiting....
Waiting...
Waiting...

There is only one King of Intel bashing.. ;-)
Humans may rule the world...but bacteria run it...
ID: 1910352 · Report as offensive
Profile Dr.Diesel Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor

Send message
Joined: 14 May 99
Posts: 41
Credit: 123,695,755
RAC: 139
United States
Message 1910355 - Posted: 3 Jan 2018, 17:51:21 UTC - in response to Message 1910352.  

AMD patch is now in:

https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?h=x86/pti&id=694d99d40972f12e59a3696effee8a376b79d7c8
ID: 1910355 · Report as offensive
Sirius B Project Donor
Volunteer tester
Avatar

Send message
Joined: 26 Dec 00
Posts: 24876
Credit: 3,081,182
RAC: 7
Ireland
Message 1910357 - Posted: 3 Jan 2018, 17:57:29 UTC - in response to Message 1910341.  

Regardless of manufacturer that's bad for computing as a whole. With the world's reliance on computers, it's bad enough having to contend with software flaws but hardware flaws...
ID: 1910357 · Report as offensive
Profile Advent42
Avatar

Send message
Joined: 23 Mar 17
Posts: 175
Credit: 4,015,683
RAC: 0
Ireland
Message 1910382 - Posted: 3 Jan 2018, 20:20:02 UTC - in response to Message 1910357.  

Ah sure it'll be grand...:-)
ID: 1910382 · Report as offensive
Profile Gary Charpentier Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor
Volunteer tester
Avatar

Send message
Joined: 25 Dec 00
Posts: 30608
Credit: 53,134,872
RAC: 32
United States
Message 1910439 - Posted: 4 Jan 2018, 1:32:58 UTC - in response to Message 1910355.  
Last modified: 4 Jan 2018, 1:33:43 UTC

AMD patch is now in:

https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?h=x86/pti&id=694d99d40972f12e59a3696effee8a376b79d7c8

Don't you mean the AMD un-patch. AMD's don't have the flaw or need the patch.
ID: 1910439 · Report as offensive
Profile Keith Myers Special Project $250 donor
Volunteer tester
Avatar

Send message
Joined: 29 Apr 01
Posts: 13161
Credit: 1,160,866,277
RAC: 1,873
United States
Message 1910441 - Posted: 4 Jan 2018, 1:36:05 UTC - in response to Message 1910439.  

Correct. The linux kernel for AMD chips needs to have the security flaw patch removed as it is not needed. Unfortunate as they were about to lockdown the latest kernels for no more features added.
Seti@Home classic workunits:20,676 CPU time:74,226 hours

A proud member of the OFA (Old Farts Association)
ID: 1910441 · Report as offensive
Cavalary

Send message
Joined: 15 Jul 99
Posts: 104
Credit: 7,507,548
RAC: 38
Romania
Message 1910452 - Posted: 4 Jan 2018, 2:57:39 UTC

Things are even worse than thought from a security perspective: https://twitter.com/nicoleperlroth/status/948684376249962496 for a summary, NYT article linked there too. So Meltdown affects all Intel CPUs since '95 bar pre-2013 Itanium and Atom and the software fix will result in a hefty performance hit, mainly for I/O operations, and at least in case of Windows (since MS pushed it out already, early) said fix may not be installed for those running certain security software, while Spectre is harder to exploit but affects everything, is a fundamental flaw in CPU design and will be with us for a decade to come, the only real fix being to redesign CPU architecture and replace all CPUs in existence basically.

Anyone else have the feeling that we're waking up to a new world again, a heck of a lot more dangerous one?
ID: 1910452 · Report as offensive
Profile HAL9000
Volunteer tester
Avatar

Send message
Joined: 11 Sep 99
Posts: 6534
Credit: 196,805,888
RAC: 57
United States
Message 1910453 - Posted: 4 Jan 2018, 2:59:16 UTC

So far the details seem to be that some parts of protected kernel memory can be read.
Some sites are reporting that the issue is also present in ARM processors.

MS has issued the patch in November to users in the "fast ring" of updates and Apple pushed out an initial patch in early December.
SETI@home classic workunits: 93,865 CPU time: 863,447 hours
Join the [url=http://tinyurl.com/8y46zvu]BP6/VP6 User Group[
ID: 1910453 · Report as offensive
Profile Keith Myers Special Project $250 donor
Volunteer tester
Avatar

Send message
Joined: 29 Apr 01
Posts: 13161
Credit: 1,160,866,277
RAC: 1,873
United States
Message 1910457 - Posted: 4 Jan 2018, 4:15:37 UTC

It will be interesting to see how fast MS pushes out a software update. Wonder if it will go into the next Patch Tuesday? Or will they get even more proactive and release an imminent patch tomorrow? Same question for the Linux distributions. How much hysteria will this flaw produce? Not a slow tech news day today at all. See that Intel stock got hit with a 3% drop after the announcement and it looks like it is continuing after hours. Would have been nice to have held an Intel short position today before announcement. See that the Intel CEO sold off stock after he was informed of the flaw back in November. Wonder if an insider trading investigation will happen.

CES attendees will something to gossip about next week.
Seti@Home classic workunits:20,676 CPU time:74,226 hours

A proud member of the OFA (Old Farts Association)
ID: 1910457 · Report as offensive
Grant (SSSF)
Volunteer tester

Send message
Joined: 19 Aug 99
Posts: 13720
Credit: 208,696,464
RAC: 304
Australia
Message 1910473 - Posted: 4 Jan 2018, 6:59:14 UTC - in response to Message 1910439.  

AMD patch is now in:

https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?h=x86/pti&id=694d99d40972f12e59a3696effee8a376b79d7c8

Don't you mean the AMD un-patch. AMD's don't have the flaw or need the patch.

Three are 2 different security issues, and AMD (and other manufacturers) are affected by it as well. And even for those that are affected, the impact is very, very variable. Given the time frame to develop the patches, I suspect it will be some time before the true impact is known as they (the programmers) will have more time to work on the patch & work on mitigating it's effects once they are better understood.

Researchers reveal Meltdown and Spectre CPU exploits
Grant
Darwin NT
ID: 1910473 · Report as offensive
Profile tullio
Volunteer tester

Send message
Joined: 9 Apr 04
Posts: 8797
Credit: 2,930,782
RAC: 1
Italy
Message 1910482 - Posted: 4 Jan 2018, 9:24:40 UTC
Last modified: 4 Jan 2018, 9:25:23 UTC

theregister.co.uk says that all chips which allow out of order processing are vulnerable. Only immune chips are Itanium and Atom before 2013, because they don't allow out of order processing.
Tullio
ID: 1910482 · Report as offensive
Richard Haselgrove Project Donor
Volunteer tester

Send message
Joined: 4 Jul 99
Posts: 14649
Credit: 200,643,578
RAC: 874
United Kingdom
Message 1910486 - Posted: 4 Jan 2018, 11:17:34 UTC - in response to Message 1910457.  

Wonder if it will go into the next Patch Tuesday?
The advance 'Update Summary' for this month (which I received by email from Microsoft at 03:12 UTC this morning - about 8 hours ago) suggests that there WON'T be anything. The only critical update seems to be browser-related, not kernel.
ID: 1910486 · Report as offensive
Keldon Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor

Send message
Joined: 28 Nov 17
Posts: 8
Credit: 124,341,599
RAC: 214
Channel Islands
Message 1910487 - Posted: 4 Jan 2018, 11:39:38 UTC

Meltdown and Spectre have their own website which can be found here:-

https://spectreattack.com/
ID: 1910487 · Report as offensive
Keldon Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor

Send message
Joined: 28 Nov 17
Posts: 8
Credit: 124,341,599
RAC: 214
Channel Islands
Message 1910494 - Posted: 4 Jan 2018, 13:36:44 UTC - in response to Message 1910487.  

Good news - Meltdown, which affects almost all Intel chips, should be mitigated by patches and firmware updates with a potential slowdown dependent on activity, yet to be fully ascertained, but which may be reduced over time with more refined patches.

Bad news - Spectre, which affects AMD, Arm and others as well as Intel (basically almost every computer, tablet and smartphone in the world), while more difficult to exploit is also proving more difficult to fully patch against so far. Solution from US Government - replace your CPU!

https://www.kb.cert.org/vuls/id/584653

With what?

Nearly all CPUs in production and development have the Spectre flaw. By implication, if you want to be secure switch off all your computers, tablets and smartphones until about 2021 when CPUs without the flaw may become available in bulk. Oh and don't buy any new ones in the meantime.

Although the risk may be very low, we are going to have to live with it for at least a few years. Hopefully patches will be developed which fully mitigate Spectre. Some people are going to have to buy machines knowing they are flawed but many will probably wait.

We are going to see a race. Every CPU manufacturer will have to work out how to dump existing pipelines, redesigning, testing and manufacturing completely new CPU designs. They may not all survive the inevitable lawsuits and costs.
ID: 1910494 · Report as offensive
Profile Mike Special Project $75 donor
Volunteer tester
Avatar

Send message
Joined: 17 Feb 01
Posts: 34253
Credit: 79,922,639
RAC: 80
Germany
Message 1910495 - Posted: 4 Jan 2018, 13:37:22 UTC

From Tom Lendacky <>
Subject [PATCH] x86/cpu, x86/pti: Do not enable PTI on AMD processors
Date Tue, 26 Dec 2017 23:43:54 -0600


AMD processors are not subject to the types of attacks that the kernel
page table isolation feature protects against. The AMD microarchitecture
does not allow memory references, including speculative references, that
access higher privileged data when running in a lesser privileged mode
when that access would result in a page fault.

Disable page table isolation by default on AMD processors by not setting
the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI
is set.

Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
---
arch/x86/kernel/cpu/common.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index c47de4e..7d9e3b0 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -923,8 +923,8 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)

setup_force_cpu_cap(X86_FEATURE_ALWAYS);

- /* Assume for now that ALL x86 CPUs are insecure */
- setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
+ if (c->x86_vendor != X86_VENDOR_AMD)
+ setup_force_cpu_bug(X86_BUG_CPU_INSECURE);

fpu__init_system(c);



With each crime and every kindness we birth our future.
ID: 1910495 · Report as offensive
Sirius B Project Donor
Volunteer tester
Avatar

Send message
Joined: 26 Dec 00
Posts: 24876
Credit: 3,081,182
RAC: 7
Ireland
Message 1910497 - Posted: 4 Jan 2018, 13:58:20 UTC

What the big boys said

You got to love their PR guys :-)

"Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers."
ID: 1910497 · Report as offensive
Cygnus X-1
Volunteer tester

Send message
Joined: 15 Feb 04
Posts: 75
Credit: 3,732,505
RAC: 175
Canada
Message 1910500 - Posted: 4 Jan 2018, 14:24:22 UTC

I wonder if this will lead to an increased popularity for alternative architectures, assuming they are unaffected by these flaws.
ID: 1910500 · Report as offensive
Keldon Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor

Send message
Joined: 28 Nov 17
Posts: 8
Credit: 124,341,599
RAC: 214
Channel Islands
Message 1910516 - Posted: 4 Jan 2018, 15:37:43 UTC

Windows has an update - KB4056892

Check this is installed in Windows Update. Also requires a restart to install.

BIOS updates also coming from Intel via OEMs so check BIOS and firmware update status from Dell, HP etc depending on your machine manufacturer.
ID: 1910516 · Report as offensive
1 · 2 · 3 · 4 . . . 6 · Next

Message boards : Number crunching : Intel security flaw


 
©2024 University of California
 
SETI@home and Astropulse are funded by grants from the National Science Foundation, NASA, and donations from SETI@home volunteers. AstroPulse is funded in part by the NSF through grant AST-0307956.