Massive security hole in CPU's incoming?Official Meltdown/Spectre Discussion Thread

Page 68 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
Toggle sidebar Toggle sidebar
tamz_msc

tamz_msc

Diamond Member
Jan 5, 2017
3,865
3,729
136
The Performance Impact Of MDS / Zombieload Plus The Overall Cost Now Of Spectre/Meltdown/L1TF/MDS

If looking at the geometric mean for the tests run today, the Intel systems all saw about 16% lower performance out-of-the-box now with these default mitigations and obviously even lower if disabling Hyper Threading for maximum security. The two AMD systems tested saw a 3% performance hit with the default mitigations. While there are minor differences between the systems to consider, the mitigation impact is enough to draw the Core i7 8700K much closer to the Ryzen 7 2700X and the Core i9 7980XE to the Threadripper 2990WX.
Click to expand...
 
  • Like
Reactions: DarthKyrie and PotatoWithEarsOnSide
IEC

IEC

Elite Member
Super Moderator
Jun 10, 2004
14,575
5,974
136
I can't imagine how bad the impact will be in terms of CPU util and response time for certain applications on XenApp and Horizon after these additional hits to context switching performance.

From the Phoronix article:
Context switching used to be faster on Intel CPUs over the AMD Zen CPUs, but that is certainly no longer the case. With these default mitigations, context switching is taking about five to six times longer than in the unmitigated configuration.
Click to expand...

Oof.
 
dualsmp

dualsmp

Golden Member
Aug 16, 2003
1,627
45
91
Context switching used to be faster on Intel CPUs over the AMD Zen CPUs, but that is certainly no longer the case. With these default mitigations, context switching is taking about five to six times longer than in the unmitigated configuration.

How are cloud providers and data centers going to cope with five to six times loss of performance? :screamcat:
 
Markfw

Markfw

Moderator Emeritus, Elite Member
May 16, 2002
26,998
15,948
136
jpiniero said:
By buying new hardware, of course.
Click to expand...
If I was an IT manager with half a brain, I have 2 options:
1) If my system carries financial information or very sensitive information, I am forced to put the patches in and add new hardware to compensate.
2) If if not, I don't do the patches right now, order the hardware, and take a risk.

Neither are good options, but Intel buried themselves.
 
  • Like
Reactions: Drazick
A

Accord99

Platinum Member
Jul 2, 2001
2,259
172
106
dualsmp said:
Context switching used to be faster on Intel CPUs over the AMD Zen CPUs, but that is certainly no longer the case. With these default mitigations, context switching is taking about five to six times longer than in the unmitigated configuration.

How are cloud providers and data centers going to cope with five to six times loss of performance? :screamcat:
Click to expand...
Why are data centers running applications that do nothing but context switch?
 
  • Like
Reactions: NTMBK, godihatework, Space Tyrant and 1 other person
EXCellR8

EXCellR8

Diamond Member
Sep 1, 2010
4,029
868
136
Yikes I would not be happy about ~25% performance loss affecting hundreds of thousands of dollars of equipment in a cloud/DC environment... it's not like the systems are using less power after all.
 
J

jpiniero

Lifer
Oct 1, 2010
16,160
6,613
136
More Linux benchmarks....

https://www.phoronix.com/scan.php?page=article&item=intel-mds-xeon&num=8

If looking at the geometric mean of all the benchmarks carried out, the EPYC 7601 averages out to about a 1% hit with its Spectre mitigations. The dual Xeon Platinum 8280 Cascadelake setup with its mostly hardware-based mitigations was slower by 4% with the relevant mitigations enabled. Meanwhile the dual Xeon Gold 6138 server that unfortunately doesn't have the hardware mitigations saw a 11% hit from the benchmarks run with these Spectre/Meltdown/L1TF/MDS mitigations or 15% if disabling Hyper Threading as an additional measure based on the benchmarks carried out today.
Click to expand...
 
  • Like
Reactions: lightmanek
J

JustMe21

Senior member
Sep 8, 2011
324
49
91
DrMrLordX said:
@jpiniero

I imagine a thousand server room administrators thinking, "Hmm, time to ditch Skylake-SP for Cascade Lake-SP, stat!". Intel must be loving it.
Click to expand...

Actually, no, since the hardware "fixes" make the 9th gen Intel processors more susceptible to Fallout. More like time to consider Epyc. Move all Internet exposed VMs to patched and Intel hyper threading disabled hosts and patched hosts for internal only that still need performance, until you can buy some Epyc based servers.
 
Last edited:
Dayman1225

Dayman1225

Golden Member
Aug 14, 2017
1,160
996
146
JustMe21 said:
Actually no, since the hardware "fixes" make the Intel processors more susceptible to Fallout. More like time to consider Epyc. Move all web exposed VMs to patched and Intel hyper threading disabled hosts and patched hosts for internal only that still need performance, until you can buy some Epyc based servers to replace any generation of Intel processors, since even 9th gen has flaws.
Click to expand...
That's why Cascade has additional hardware mitigations.
 
J

JustMe21

Senior member
Sep 8, 2011
324
49
91
Dayman1225 said:
That's why Cascade has additional hardware mitigations.
Click to expand...

It does appear that Intel states their 8th and 9th gen processors have Hardware fixes or via Microcode update and software patch.

https://www.intel.com/content/www/u...ngineering-new-protections-into-hardware.html

It's interesting they indicate they have a hardware fix, but the Fallout paper indicates the Coffee Lake Refresh with it's hardware fix made it more susceptible.

From a company standpoint, where you have to budget and plan for the next few years, it looks risky to go with Intel at this time. "Fool me once, shame on you; Fool me twice, shame on me"

Of course, on the AMD side, they don't have longevity on their new architecture yet, so that makes them risky as well.
 
Dayman1225

Dayman1225

Golden Member
Aug 14, 2017
1,160
996
146
JustMe21 said:
It's interesting they indicate they have a hardware fix, but the Fallout paper indicates the Coffee Lake Refresh with it's hardware fix made it more susceptible.
Click to expand...
That would be because there is a stepping for CFL-R that introduces more hardware mitigation’s AFAIK. Stepping R0
 
DrMrLordX

DrMrLordX

Lifer
Apr 27, 2000
22,544
12,412
136
JustMe21 said:
Actually, no, since the hardware "fixes" make the 9th gen Intel processors more susceptible to Fallout.
Click to expand...

The problem is validation. If you're rolling out new hardware from a new vendor, it takes time and money to get it ready for deployment on an organizational scale. It's easier to replace your current hardware from the same vendor, especially when switching from Skylake-SP to Cascade Lake-SP amounts to installing what is almost exactly the same uarch.
 
  • Like
Reactions: Space Tyrant and DarthKyrie
DrMrLordX

DrMrLordX

Lifer
Apr 27, 2000
22,544
12,412
136
GreenReaper said:
. . . is about their CPU testing tool. It's bad, but it's not the CPUs themselves, just if you have the tool installed - presumably because it enables admin access to anyone.

Just upgrade to the latest version - or better yet, uninstall it if you don't need it anymore.
Click to expand...

Updating software on an org level is a PITA though. And Intel isn't MS, they don't necessarily have autoupdates or anything of the sort.
 
IEC

IEC

Elite Member
Super Moderator
Jun 10, 2004
14,575
5,974
136
New Phoronix review of Meltdown/Spectre/Zombieload performance impacts:
https://www.phoronix.com/scan.php?page=article&item=amd-zen2-spectre&num=1

If looking at the geometric mean for these various mitigation-sensitive benchmarks, the default mitigations on the Core i9 9900K amounted to a 28% hit while the Ryzen 7 2700X saw a 5% hit with its default Spectre mitigations and the new Ryzen 7 3700X came in at 6% and the Ryzen 9 3900X at just over 5%. Keep in mind these benchmarks ran for this article were a good portion of synthetic tests and focused on workloads affected by Spectre/Meltdown/L1TF/Zombieload. Many of these particular tests aren't multi-threaded and that's why you don't see as much of a difference between these HEDT and desktop CPUs as in our more normal benchmarks.

We'll update if hearing back from AMD on whether any software mitigation changes are expected for AMD Zen 2 processors given their hardware mitigations or if they still recommend these same conservative defaults as it currently stands in the Linux 5.2 kernel.
Click to expand...
 
  • Like
Reactions: Drazick and KompuKare
coercitiv

coercitiv

Diamond Member
Jan 24, 2014
7,133
16,550
136
Apple's iOS is now know to have been exploited for years, with complete access to user's accounts and data gained by simply visiting a website.

Journalistic perspective:
https://arstechnica.com/information...iscriminately-infected-iphones-for-two-years/

Technical perspective from Porject Zero's blog:
https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html

How i this not OT, considering we're talking software based exploits from another company? Well, first of all Intel gets a relief package since Apple is now the king of pwned: active exploits used for years on unsuspecting customers.

Second of all... we now have the ultimate proof that security through obscurity is exactly as bad as some people warned it would be, and Intel is just as vulnerable from this perspective through their Management Engine. I hope AMD has a better approach, I haven't followed up on their decisions on this matter.
 
  • Like
Reactions: Lodix and amd6502
DrMrLordX

DrMrLordX

Lifer
Apr 27, 2000
22,544
12,412
136
Fortunatley for server admins, iOS is not used in their practice. The bossman who has an iPad in the executive office, however, might be a liability to the company.
 
Ichinisan

Ichinisan

Lifer
Oct 9, 2002
28,298
1,235
136
coercitiv said:
Apple's iOS is now know to have been exploited for years, with complete access to user's accounts and data gained by simply visiting a website.

Journalistic perspective:
https://arstechnica.com/information...iscriminately-infected-iphones-for-two-years/

Technical perspective from Porject Zero's blog:
https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html

How i this not OT, considering we're talking software based exploits from another company? Well, first of all Intel gets a relief package since Apple is now the king of pwned: active exploits used for years on unsuspecting customers.

Second of all... we now have the ultimate proof that security through obscurity is exactly as bad as some people warned it would be, and Intel is just as vulnerable from this perspective through their Management Engine. I hope AMD has a better approach, I haven't followed up on their decisions on this matter.
Click to expand...
iPhones have never been "obscure" and Apple has never depended on security by obscurity for the iOS platform. It has always been locked down far tighter than Android. Apple doesn't want unauthorized non-AppStore code to run, even if it's not malicious.

iOS has always had a far greater emphasis on security than Android.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom