Massive security hole in CPU's incoming?Official Meltdown/Spectre Discussion Thread

[Panino Manino]

I was thinking, it's possible to disable these mitigation, at least on Ubuntu? It's possible to disable and enable at will? Or most of these mitigation once they're activate there's no reverting back?

 

[jpiniero]

I was thinking, it's possible to disable these mitigation, at least on Ubuntu? It's possible to disable and enable at will? Or most of these mitigation once they're activate there's no reverting back?

You can turn it off, that's how Phoronix is testing it.

 

[Panino Manino]

You can turn it off, that's how Phoronix is testing it.

Do you know how I do this?

 

[jpiniero]

Do you know how I do this?

https://wiki.ubuntu.com/Kernel/KernelBootParameters

See the part about adding kernel parameters. Add retbleed=off

 

[nicalandia]

AMD Processors Expose Sensitive Data to New 'SQUIP' Attack

AMD Processors Expose Sensitive Data to New 'SQUIP' Attack | SecurityWeek.Com

Researchers disclose the details of SQUIP, a side-channel attack targeting the scheduler queues of AMD CPUs.

www.securityweek.com

SGX, Intel’s supposedly impregnable data fortress, has been breached
yet again

خطأ بإعدادات السيرفر المستضيف

Thankfully anything of worth that I had that could be stolen has already been taken by my Ex Wives...!

 

[moinmoin]

“An attacker running on the same host and CPU core as you could spy on which types of instructions you are executing due to the split-scheduler design on AMD CPUs.”

That's kind of a "Doh!" situation. Cores have their own schedulers, which are obviously shared for SMT on the same core. That's why disabling SMT (or not splitting threads of the same core among different users) has been best practice since when Spectre first appeared.

The bug that enables ÆPIC Leak is what is known as an uninitialized memory read, which occurs when memory space is not freed up after the CPU has finished processing it, causing old data to leak that is no longer needed. Unlike previous CPU bugs with names like Specter, Meltdown, Foreshadow, and RIDL/Fallout/ZombieLoad – which resulted from temporary runs that created side channels revealing private data – ÆPIC Leak is an architectural flaw that resides in the CPU itself.

SGX has been essentially dead for quite some time already, but still: ouch! I sure hope Intel put more thought into the upcoming SGX2.

 

[nicalandia]

I also don't use Windows 11, keep Windows 10 up to date..


Beware: Windows 11-ready CPUs with VAES "susceptible to data damage", full CPU list here

Beware: Windows 11-ready CPUs with VAES "susceptible to data damage", full CPU list here

Microsoft has issued a warning for those out there running Windows 11 on supported CPUs. The company has found that modern chips with the new VAES instruction are "susceptible to data damage".

www.neowin.net

 

[moinmoin]

I also don't use Windows 11, keep Windows 10 up to date..


Beware: Windows 11-ready CPUs with VAES "susceptible to data damage", full CPU list here

Beware: Windows 11-ready CPUs with VAES "susceptible to data damage", full CPU list here

Microsoft has issued a warning for those out there running Windows 11 on supported CPUs. The company has found that modern chips with the new VAES instruction are "susceptible to data damage".

www.neowin.net

Hm, as far as I understand it it's not really the VAES instruction that's broken (as all chips implementing VAES seem to be equally affected) but the way Windows 11 previously applied it that could be susceptible to data damage, by what appears to be saving some safeguarding that now has to be applied anyway and consequently leads to longer processing time.

 

[nicalandia]

70% Compute Performance taked..

VMware: ESXi VM Performance Tanks Up To 70% Due To Intel Retbleed Mitigation - Phoronix

www.phoronix.com

 

[DrMrLordX]

How old are "older processors"?

 

[darkswordsman17]

How old are "older processors"?

Seems this was what it was tested on:

The hardware they were testing was an Intel Xeon "Skylake" server with 112 threads and 2TB of RAM.

But it also affects these (unsure about performance):

Retbleed on the Intel side is known to affect Intel Core 6th through 8th Gen client CPUs and associated Xeon processors.

 

[DrMrLordX]

So . . . Skylake-SP? Cascade Lake-SP is 9th gen and IceLake-SP is 10th gen. On desktop that affects Coffee Lake, Kabylake, and Skylake.

 

[jpiniero]

The Intel Core i9 13900K "Raptor Lake" Performance From Linux 5.15 To Linux 6.1 - Phoronix

www.phoronix.com

Looks like there's more security fixes in the latest Linux kernels which hurt performance on Intel... and this even applies to Raptor Lake.

 

[VirtualLarry]

and this even applies to Raptor Lake.

Intel, still designing cars without seatbelts.

 

[A///]

Intel, still designing cars without seatbelts.

Almost makes that rumor of gelsinger getting canned by q2 2023 slightly true. RPL wasn't under his watch but he's stuck with the dog poo and mop.

 

[Fanatical Meat]

has this hole turned out to be an issue. Seems like it’s been quite a while and consumer equipment doesn’t appear to be impacted. How about data centers?

 

[DrMrLordX]

has this hole turned out to be an issue. Seems like it’s been quite a while and consumer equipment doesn’t appear to be impacted. How about data centers?

Golden Cove and Raptor Cove aren't in datacentres yet, so there's no way of knowing how these newer kernel versions will affect Sapphire Rapids or Emerald Rapids. For consumer desktop, I would expect savvy Linux users to disable the mitigations if they need extra performance. Especially if there are no known exploits in the wild based on the vulnerability(ies) meant to be mitigated by later kernel versions.