Massive security hole in CPU's incoming?Official Meltdown/Spectre Discussion Thread

Page 27 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.

Hitman928

Diamond Member
Apr 15, 2012
5,182
7,633
136
That's....hugely concerning. And that's with coffee lake which was supposed to be the least impacted. No mention of gaming benchmarks?

Still, best to wait until the "respected" websites and youtubers do their benchmarks.

There was a test running Tomb Raider where the averages were unaffected but the minimums took a huge dive. I didn't show the results here though because in my experience, the minimums result in the Tomb Raider benchmark is highly irregular. You can follow the link if you want to see them though.
 

PhonakV30

Senior member
Oct 26, 2009
987
378
136

wow! finally this worked.Here I typed and voila!
Save-Module -Name SpeculationControl
C:\Windows\System32\WindowsPowerShell\v1.0\Modules (the Path)
Set-Location C:\Windows\System32\WindowsPowerShell\v1.0\Modules
Import-Module SpeculationControl
Get-SpeculationControlSettings

Allright My result :

Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: False
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: False

Suggested actions

* Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.


BTIHardwarePresent : False
BTIWindowsSupportPresent : True
BTIWindowsSupportEnabled : False
BTIDisabledBySystemPolicy : False
BTIDisabledByNoHardwareSupport : True
KVAShadowRequired : False
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : False
KVAShadowPcidEnabled : False

Any Idea? I don't understand what does it say ?
 

goldstone77

Senior member
Dec 12, 2017
217
93
61
wow! finally this worked.Here I typed and voila!


Allright My result :

Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: False
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: False

Suggested actions

* Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.


BTIHardwarePresent : False
BTIWindowsSupportPresent : True
BTIWindowsSupportEnabled : False
BTIDisabledBySystemPolicy : False
BTIDisabledByNoHardwareSupport : True
KVAShadowRequired : False
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : False
KVAShadowPcidEnabled : False

Any Idea? I don't understand what does it say ?

I believe you need to update your motherboard bios with a patch.
 

Rifter

Lifer
Oct 9, 1999
11,522
751
126
That's....hugely concerning. And that's with coffee lake which was supposed to be the least impacted. No mention of gaming benchmarks?

Still, best to wait until the "respected" websites and youtubers do their benchmarks.

The most concerning part, to me anyways, is that most benchmarks so far have only been conducted with the window/linux patchs installed and not the microcode update. And those already showed bad performance in heavy iops workloads and NVME performance. How are those benchmarks going to look with this new microcode also installed as it seem to be even worse than just the OS patch.
 

Engineer

Elite Member
Oct 9, 1999
39,234
701
126
I believe you need to update your motherboard bios with a patch.

I know this wasn't meant for me but I can't (and I wish I could). First, I doubt that Biostar will release a new one. If they did, I would need to figure out how to patch Xeon 1230V2 (or 3, don't remember) microcode into it - again - and flash that. I would need to find adjusted Xeon microcode to even do that. Not worth it anymore. I'll build a new system before doing all of that again, lol! :p
 

IEC

Elite Member
Super Moderator
Jun 10, 2004
14,323
4,904
136
Looks like Microsoft highlighted (in red) the fact that you *need* a microcode update to fully patch the vulnerability/bug/flaw/whatever you want to call it.

Warning

Customers who only install the Windows January 2018 security updates will not receive the benefit of all known protections against the vulnerabilities. In addition to installing the January security updates, a processor microcode, or firmware, update is required. This should be available through your device manufacturer.

Note Surface customers will receive a microcode update via Windows update.
https://support.microsoft.com/en-us...ive-execution-side-channel-vulnerabilities-in
 
  • Like
Reactions: CatMerc

zinfamous

No Lifer
Jul 12, 2006
110,515
29,100
146
There was a test running Tomb Raider where the averages were unaffected but the minimums took a huge dive. I didn't show the results here though because in my experience, the minimums result in the Tomb Raider benchmark is highly irregular. You can follow the link if you want to see them though.

pardon my noobishness, but have "ave." in FPS only ever averaged the maximum frame rates? I think I always knew that, it just didn't strike me until you made this comment and I did a double take. :D

Or is it just the reported minimum is the absolute minimum--generally an outlier that rarely occurs ?
 

ZGR

Platinum Member
Oct 26, 2012
2,052
656
136
I'm pretty sure Asus won't do much for my board. I wonder what the oldest motherboard supported by any OEM is?
 

noneis

Junior Member
Mar 4, 2017
21
29
91
Few things about Spectre #2:
  • For Skylake and newer microcode update (BIOS) is necessary to activate Spectre #2 mitigation, these processors are most affected by performance hit from Spectre #2 mitigation, Linux devs said that this mitigation is "horribly slow", so slow compile times, databases, virtualization is expected
  • For pre-Skylake CPU's microcode update is not needed, and performance hit should be much lower then for Skylake+
  • Ryzen needs microcode update for Spectre #2, but performance hit should be lower then pre-Skylake CPU's.
  • Older AMD CPU's don't need microcode update and performance hit should be similar to Ryzen, but those CPU's are slow anyway.
Edit: I don't thing that compiled time test posted by HellBound is final result because right now Linux has only Meltdown mitigation.
 
Last edited:

jpiniero

Lifer
Oct 1, 2010
14,510
5,159
136
For Skylake and newer microcode update (BIOS) is necessary to activate Spectre #2 mitigation, these processors are most affected by performance hit from Spectre #2 mitigation, Linux devs said that this mitigation is "horribly slow", so slow compile times, databases, virtualization is expected

Forget where I saw that, but on that apparently Skylake "optimizes" the faster workaround so they have to use a slower one.
 

noneis

Junior Member
Mar 4, 2017
21
29
91
Forget where I saw that, but on that apparently Skylake "optimizes" the faster workaround so they have to use a slower one.
Directly from Linux devs: https://lkml.org/lkml/2018/1/4/724

"Retpoline as a mitigation strategy swaps indirect branches for returns,
to avoid using predictions which come from the BTB, as they can be
poisoned by an attacker.

The problem with Skylake+ is that an RSB underflow falls back to using a
BTB prediction, which allows the attacker to take control of speculation."
Retpoline mitigation is useless for Skylake+
 

dahorns

Senior member
Sep 13, 2013
550
83
91
Directly from Linux devs: https://lkml.org/lkml/2018/1/4/724

"Retpoline as a mitigation strategy swaps indirect branches for returns,
to avoid using predictions which come from the BTB, as they can be
poisoned by an attacker.

The problem with Skylake+ is that an RSB underflow falls back to using a
BTB prediction, which allows the attacker to take control of speculation."
Retpoline mitigation is useless for Skylake+

Ugh, this is pushing me towards returning my newly constructed rig if possible.
 

Kenmitch

Diamond Member
Oct 10, 1999
8,505
2,248
136
This is what I got on my laptop which has a 7700HQ. Loaded the most current bios available which was dated 12/28/2017 but looks like it's not patched yet or I'm not reading it correctly.

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for PCID performance optimization is enabled: True [not required for security]

Suggested actions

* Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.

BTIHardwarePresent : False
BTIWindowsSupportPresent : True
BTIWindowsSupportEnabled : False
BTIDisabledBySystemPolicy : False
BTIDisabledByNoHardwareSupport : True
KVAShadowRequired : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : True
KVAShadowPcidEnabled : True
 

cytg111

Lifer
Mar 17, 2008
23,049
12,720
136
pardon my noobishness, but have "ave." in FPS only ever averaged the maximum frame rates? I think I always knew that, it just didn't strike me until you made this comment and I did a double take. :D

Or is it just the reported minimum is the absolute minimum--generally an outlier that rarely occurs ?

Yea I picked up on that too, if average is the same but minimums take a "huge" dive, then somewhere else something must have seen a gain -- or we are talking small potatoes like a ~1 fps max decrease on average.

Damnit, I hate it when progress goes in reverse .. it is not as we have been blessed with huge increments over the last decade and now they are taking half of it back? SIgh. Well, the next-next generation from Intel will at least have a decent performance bump over the older gens :).
 
Last edited:

Malogeek

Golden Member
Mar 5, 2017
1,390
778
136
yaktribe.org
This is what I got on my laptop which has a 7700HQ. Loaded the most current bios available which was dated 12/28/2017 but looks like it's not patched yet or I'm not reading it correctly.
Yes it's patched and functioning for Meltdown, which is the only mitigation for now. Spectre mitigation is coming via other means but the tool provides the ability to test for it once it's in place.
 

nehway0912

Junior Member
Jul 3, 2015
4
1
81
Not really relevant to the topic but ASUS is releasing new bios for their intel boards to "fix" these.
 

Paratus

Lifer
Jun 4, 2004
16,614
13,297
146
Not really relevant to the topic but ASUS is releasing new bios for their intel boards to "fix" these.
I’m not going to hold my breath for Asus to update my X58 board, nor Sony to update my circa 2012 Sandy Bridge laptop.

Hopefully MSI will update my new X399 Pro Carbon mobo that’s still in it’s box. (I’m assuming Threadripper needs the update if Ryzen does)
 
  • Like
Reactions: ZGR

SPBHM

Diamond Member
Sep 12, 2012
5,056
409
126
I’m not going to hold my breath for Asus to update my X58 board, nor Sony to update my circa 2012 Sandy Bridge laptop.

Hopefully MSI will update my new X399 Pro Carbon mobo that’s still in it’s box. (I’m assuming Threadripper needs the update if Ryzen does)

I wonder if they are updating the microcodes for those old CPUs and if it's possible to just mod the bios to add them, since yes, most are not getting bios updates for years now.
 

Malogeek

Golden Member
Mar 5, 2017
1,390
778
136
yaktribe.org
And I have 6 X99 motherboards with 168 threads (28x6) waiting ? Why not the BIG CPU support boards first ?
Why big CPU boards (and older ones at that) before latest boards? Because it suits you better? Personally I would do latest chipsets first then work backwards, seems the logical approach.
 
  • Like
Reactions: beginner99