Massive security hole in CPU's incoming?Official Meltdown/Spectre Discussion Thread

Page 68 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.

tamz_msc

Diamond Member
Jan 5, 2017
3,708
3,554
136
The Performance Impact Of MDS / Zombieload Plus The Overall Cost Now Of Spectre/Meltdown/L1TF/MDS

If looking at the geometric mean for the tests run today, the Intel systems all saw about 16% lower performance out-of-the-box now with these default mitigations and obviously even lower if disabling Hyper Threading for maximum security. The two AMD systems tested saw a 3% performance hit with the default mitigations. While there are minor differences between the systems to consider, the mitigation impact is enough to draw the Core i7 8700K much closer to the Ryzen 7 2700X and the Core i9 7980XE to the Threadripper 2990WX.
 

IEC

Elite Member
Super Moderator
Jun 10, 2004
14,323
4,904
136
I can't imagine how bad the impact will be in terms of CPU util and response time for certain applications on XenApp and Horizon after these additional hits to context switching performance.

From the Phoronix article:
Context switching used to be faster on Intel CPUs over the AMD Zen CPUs, but that is certainly no longer the case. With these default mitigations, context switching is taking about five to six times longer than in the unmitigated configuration.

Oof.
 

dualsmp

Golden Member
Aug 16, 2003
1,626
44
91
Context switching used to be faster on Intel CPUs over the AMD Zen CPUs, but that is certainly no longer the case. With these default mitigations, context switching is taking about five to six times longer than in the unmitigated configuration.

How are cloud providers and data centers going to cope with five to six times loss of performance? :screamcat:
 

Markfw

Moderator Emeritus, Elite Member
May 16, 2002
25,478
14,434
136
By buying new hardware, of course.
If I was an IT manager with half a brain, I have 2 options:
1) If my system carries financial information or very sensitive information, I am forced to put the patches in and add new hardware to compensate.
2) If if not, I don't do the patches right now, order the hardware, and take a risk.

Neither are good options, but Intel buried themselves.
 
  • Like
Reactions: Drazick

Accord99

Platinum Member
Jul 2, 2001
2,259
172
106
Context switching used to be faster on Intel CPUs over the AMD Zen CPUs, but that is certainly no longer the case. With these default mitigations, context switching is taking about five to six times longer than in the unmitigated configuration.

How are cloud providers and data centers going to cope with five to six times loss of performance? :screamcat:
Why are data centers running applications that do nothing but context switch?
 

EXCellR8

Diamond Member
Sep 1, 2010
3,979
839
136
Yikes I would not be happy about ~25% performance loss affecting hundreds of thousands of dollars of equipment in a cloud/DC environment... it's not like the systems are using less power after all.
 

jpiniero

Lifer
Oct 1, 2010
14,509
5,159
136
More Linux benchmarks....

https://www.phoronix.com/scan.php?page=article&item=intel-mds-xeon&num=8

If looking at the geometric mean of all the benchmarks carried out, the EPYC 7601 averages out to about a 1% hit with its Spectre mitigations. The dual Xeon Platinum 8280 Cascadelake setup with its mostly hardware-based mitigations was slower by 4% with the relevant mitigations enabled. Meanwhile the dual Xeon Gold 6138 server that unfortunately doesn't have the hardware mitigations saw a 11% hit from the benchmarks run with these Spectre/Meltdown/L1TF/MDS mitigations or 15% if disabling Hyper Threading as an additional measure based on the benchmarks carried out today.
 
  • Like
Reactions: lightmanek

JustMe21

Senior member
Sep 8, 2011
324
49
91
@jpiniero

I imagine a thousand server room administrators thinking, "Hmm, time to ditch Skylake-SP for Cascade Lake-SP, stat!". Intel must be loving it.

Actually, no, since the hardware "fixes" make the 9th gen Intel processors more susceptible to Fallout. More like time to consider Epyc. Move all Internet exposed VMs to patched and Intel hyper threading disabled hosts and patched hosts for internal only that still need performance, until you can buy some Epyc based servers.
 
Last edited:

Dayman1225

Golden Member
Aug 14, 2017
1,152
973
146
Actually no, since the hardware "fixes" make the Intel processors more susceptible to Fallout. More like time to consider Epyc. Move all web exposed VMs to patched and Intel hyper threading disabled hosts and patched hosts for internal only that still need performance, until you can buy some Epyc based servers to replace any generation of Intel processors, since even 9th gen has flaws.
That's why Cascade has additional hardware mitigations.
 

JustMe21

Senior member
Sep 8, 2011
324
49
91
That's why Cascade has additional hardware mitigations.

It does appear that Intel states their 8th and 9th gen processors have Hardware fixes or via Microcode update and software patch.

https://www.intel.com/content/www/u...ngineering-new-protections-into-hardware.html

It's interesting they indicate they have a hardware fix, but the Fallout paper indicates the Coffee Lake Refresh with it's hardware fix made it more susceptible.

From a company standpoint, where you have to budget and plan for the next few years, it looks risky to go with Intel at this time. "Fool me once, shame on you; Fool me twice, shame on me"

Of course, on the AMD side, they don't have longevity on their new architecture yet, so that makes them risky as well.
 

Dayman1225

Golden Member
Aug 14, 2017
1,152
973
146
It's interesting they indicate they have a hardware fix, but the Fallout paper indicates the Coffee Lake Refresh with it's hardware fix made it more susceptible.
That would be because there is a stepping for CFL-R that introduces more hardware mitigation’s AFAIK. Stepping R0
 

DrMrLordX

Lifer
Apr 27, 2000
21,582
10,785
136
Actually, no, since the hardware "fixes" make the 9th gen Intel processors more susceptible to Fallout.

The problem is validation. If you're rolling out new hardware from a new vendor, it takes time and money to get it ready for deployment on an organizational scale. It's easier to replace your current hardware from the same vendor, especially when switching from Skylake-SP to Cascade Lake-SP amounts to installing what is almost exactly the same uarch.
 

DrMrLordX

Lifer
Apr 27, 2000
21,582
10,785
136
. . . is about their CPU testing tool. It's bad, but it's not the CPUs themselves, just if you have the tool installed - presumably because it enables admin access to anyone.

Just upgrade to the latest version - or better yet, uninstall it if you don't need it anymore.

Updating software on an org level is a PITA though. And Intel isn't MS, they don't necessarily have autoupdates or anything of the sort.
 

IEC

Elite Member
Super Moderator
Jun 10, 2004
14,323
4,904
136
New Phoronix review of Meltdown/Spectre/Zombieload performance impacts:
https://www.phoronix.com/scan.php?page=article&item=amd-zen2-spectre&num=1

If looking at the geometric mean for these various mitigation-sensitive benchmarks, the default mitigations on the Core i9 9900K amounted to a 28% hit while the Ryzen 7 2700X saw a 5% hit with its default Spectre mitigations and the new Ryzen 7 3700X came in at 6% and the Ryzen 9 3900X at just over 5%. Keep in mind these benchmarks ran for this article were a good portion of synthetic tests and focused on workloads affected by Spectre/Meltdown/L1TF/Zombieload. Many of these particular tests aren't multi-threaded and that's why you don't see as much of a difference between these HEDT and desktop CPUs as in our more normal benchmarks.

We'll update if hearing back from AMD on whether any software mitigation changes are expected for AMD Zen 2 processors given their hardware mitigations or if they still recommend these same conservative defaults as it currently stands in the Linux 5.2 kernel.
 

coercitiv

Diamond Member
Jan 24, 2014
6,151
11,670
136
Apple's iOS is now know to have been exploited for years, with complete access to user's accounts and data gained by simply visiting a website.

Journalistic perspective:
https://arstechnica.com/information...iscriminately-infected-iphones-for-two-years/

Technical perspective from Porject Zero's blog:
https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html

How i this not OT, considering we're talking software based exploits from another company? Well, first of all Intel gets a relief package since Apple is now the king of pwned: active exploits used for years on unsuspecting customers.

Second of all... we now have the ultimate proof that security through obscurity is exactly as bad as some people warned it would be, and Intel is just as vulnerable from this perspective through their Management Engine. I hope AMD has a better approach, I haven't followed up on their decisions on this matter.
 
  • Like
Reactions: Lodix and amd6502

DrMrLordX

Lifer
Apr 27, 2000
21,582
10,785
136
Fortunatley for server admins, iOS is not used in their practice. The bossman who has an iPad in the executive office, however, might be a liability to the company.
 

Ichinisan

Lifer
Oct 9, 2002
28,298
1,234
136
Apple's iOS is now know to have been exploited for years, with complete access to user's accounts and data gained by simply visiting a website.

Journalistic perspective:
https://arstechnica.com/information...iscriminately-infected-iphones-for-two-years/

Technical perspective from Porject Zero's blog:
https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html

How i this not OT, considering we're talking software based exploits from another company? Well, first of all Intel gets a relief package since Apple is now the king of pwned: active exploits used for years on unsuspecting customers.

Second of all... we now have the ultimate proof that security through obscurity is exactly as bad as some people warned it would be, and Intel is just as vulnerable from this perspective through their Management Engine. I hope AMD has a better approach, I haven't followed up on their decisions on this matter.
iPhones have never been "obscure" and Apple has never depended on security by obscurity for the iOS platform. It has always been locked down far tighter than Android. Apple doesn't want unauthorized non-AppStore code to run, even if it's not malicious.

iOS has always had a far greater emphasis on security than Android.