Massive security hole in Xeons incoming?Official Meltdown/Spectre Discussion Thread

Page 67 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.

jpiniero

Diamond Member
Oct 1, 2010
6,327
226
126
The main difference between 8th and 9th gen chips is the hardware mitigations (wrt Spectre/Meltdown). So the hardware mitigations may introduce new flaws.
There's a difference though. Cascade Lake (and possibly Whiskey Lake and/or Coffee Lake Refresh R0) have hardware fixes. The original Coffee Lake Refresh has the microcode updates built in, but that could be called hardware mitigations although it's not the same thing.
 

Hitman928

Golden Member
Apr 15, 2012
1,761
194
136
so CascadeLake is vulnerable or not?
It seems that Intel is saying no but that the security researchers are saying yes. I think the specific attacks in the Intel white paper show it is not vulnerable but the researchers are saying that the fixes actually make modified attacks easier.

That's what I've gathered but TBH I haven't been following that closely. Others can chime in if that's not correct.
 

Jimzz

Diamond Member
Oct 23, 2012
4,242
38
91
This may add more fire to why most desktop chips do not have HT anymore as well. But also turning it off does not fix it 100% either.

Hope their 10/7nm and new design does not flame out and stays on track.
 
Jan 29, 2014
279
17
91
How much should your average MacBook/MacBook Pro w/ Core Gen 4 - Gen 7 and Gen 8 and Gen 9 be worried about this? Almost none of them (expect IT professionals or readers of forums like this) will understand the problem much less be able to disable SMT if their security needs warranted it.
 
Apr 27, 2000
11,512
843
126
How much should your average MacBook/MacBook Pro w/ Core Gen 4 - Gen 7 and Gen 8 and Gen 9 be worried about this?
None of these security flaws seem to be OS-specific. The only thing I haven't heard is what, if anything, Apple has done to address the problems.
 

GreenReaper

Junior Member
Aug 15, 2018
1
0
11
You should be worried, but mostly because it may degrade performance enough that you regret not shelling out for the higher-specced model at Apple's markup.
 

cytg111

Diamond Member
Mar 17, 2008
8,787
733
136
I friggin knew it. redacted.
Is AMD safe from all this?
Cyrix? :eek:/.




Profanity is not allowed in tech.


esquared
Anandtech Forum Director
 
Last edited by a moderator:
Apr 27, 2000
11,512
843
126
Is AMD safe from all this?
Basically, yes. They had to do some UEFI patching and OS patching to deal with Spectre. MDS doesn't affect AMD at all (apparently).

Cyrix chips though? That's an interesting question. I'm more interested in knowing if VIA chips are vulnerable to this stuff. Speaking of VIA, I haven't heard a peep out of them in awhile . . .
 

gorobei

Platinum Member
Jan 7, 2007
2,948
62
106
None of these security flaws seem to be OS-specific. The only thing I haven't heard is what, if anything, Apple has done to address the problems.
https://www.tomshardware.com/news/disable-hyper-threading-mac-apple-performance,39348.html
Apple has joined Google in advising customers to disable Intel CPUs' Hyper-Threading feature. This drastic measure is supposed to defend against Microarchitectural Data Sampling (MDS) issues that Intel disclosed on Monday. Apple warned, however, that defending against those vulnerabilities by disabling Hyper-Threading "may have a significant impact on the performance" of the system in question.

....
"Testing conducted by Apple in May 2019 showed as much as a 40 percent reduction in performance with tests that include multithreaded workloads and public benchmarks," the company said. That's based on the company's test systems, though, and the actual impact will vary between devices.
 

jpiniero

Diamond Member
Oct 1, 2010
6,327
226
126

jpiniero

Diamond Member
Oct 1, 2010
6,327
226
126
Reviewed the microcode update guidance, and seems only Cascade Lake and Broadwell-D Refresh is not on the list. But that doesn't necessarily mean that Whiskey Lake or Coffee Lake Refresh R0 are vulnerable to MDS.

Do wonder if this might encourage Intel to release Comet Lake sooner.
 
Apr 27, 2000
11,512
843
126
Reviewed the microcode update guidance, and seems only Cascade Lake and Broadwell-D Refresh is not on the list.
I'm seeing conflicting data here. People posting on Phoronix (read comments from the above-linked article) are saying that some Cascade Lake chips are vulnerable and some are not, based on stepping.
 

jpiniero

Diamond Member
Oct 1, 2010
6,327
226
126
I'm seeing conflicting data here. People posting on Phoronix (read comments from the above-linked article) are saying that some Cascade Lake chips are vulnerable and some are not, based on stepping.
I saw that but I think it's possible that only applies to the pre-release Cascade Lake that the Cloud Guys got, which I guess they would have to dump now. Which actually sort of explains why Cascade Lake was delayed a bit.
 

dualsmp

Golden Member
Aug 16, 2003
1,616
0
91
I'm seeing conflicting data here. People posting on Phoronix (read comments from the above-linked article) are saying that some Cascade Lake chips are vulnerable and some are not, based on stepping.
There is a breakdown near the lower part of this page:
https://software.intel.com/security...-enumeration-and-architectural-msrs#MDS-CPUID

Looks like only (some) 8th Gen processors, (some) 2nd Gen Xeon Scalable and certain Atoms are immune. There is also a subset of processors that have partial immunity (like 9th Gen) and most everything else has no immunity.
 

jpiniero

Diamond Member
Oct 1, 2010
6,327
226
126
Looks like only (some) 8th Gen processors, (some) 2nd Gen Xeon Scalable and certain Atoms are immune. There is also a subset of processors that have partial immunity (like 9th Gen) and most everything else has no immunity.
That list is inaccurate, especially when there is no Whiskey Lake Desktop parts, unless they mean Coffee Lake Refresh R0. Which I am guessing they are...

By the way, according to Ark there are R0 stepping parts available for the original Coffee Lake Refresh out there. Doesn't seem like there is any way to know which one you get though.
 
Apr 27, 2000
11,512
843
126
I saw that but I think it's possible that only applies to the pre-release Cascade Lake that the Cloud Guys got, which I guess they would have to dump now. Which actually sort of explains why Cascade Lake was delayed a bit.
Gotta hurt for any of the big Cloud Guys who dumped Skylake-SP to get away from Meltdown/Spectre.

There's really no alternative for people like this one enriching Intel?
If procurement won't switch vendors, the server guys gotta make do as best they can. Validating new hardware can take time.
 

JustMe21

Senior member
Sep 8, 2011
250
4
81
Newer Intel processors may have some immunity to RIDL, but the hardware enhancements make it more susceptible to Fallout.
https://mdsattacks.com/

So far, it seems that AMD's biggest flaw was in the TPM processor and minorly with Ryzen, that was OS patched. So, no RIDL or Fallout with Ryzen.
https://www.amd.com/en/corporate/product-security

Given how long it took to implement hardware fixes for Spectre and Meltdown, I would think hardware fixes for the new flaws won't be available until next year or so.
 

jpiniero

Diamond Member
Oct 1, 2010
6,327
226
126
Gotta hurt for any of the big Cloud Guys who dumped Skylake-SP to get away from Meltdown/Spectre.
I imagine Intel gave them free upgrades to the updated version of Cascade Lake
which has all the fixes.

Of course they would have to swap out the chips.

There's really no alternative for people like this one enriching Intel?
AMD's been out of the game for so long that I don't think it's on the radar for a lot of people.
 

Deigarth

Junior Member
Mar 13, 2017
5
7
51
Performance impact of the ZombieLoad mitigations looks brutal for context switching. And this is with HT still enabled even. Looks like Ryzen could become four times faster at it in comparison. This is a disaster for VM implementations, virtual network will certainly feel this. Makes Meltdown and Spectre look like small, inconsequential things. I hope something can be done, otherwise nobody will patch their VM servers and watch the performance tank.
 
Apr 27, 2000
11,512
843
126
I imagine Intel gave them free upgrades to the updated version of Cascade Lake
which has all the fixes.
Shades of the FDIV bug. Sort of. Intel replaced a LOT of Pentiums back in the day.

Of course they would have to swap out the chips.
That would be really irritating for anyone using Cascade Lake-AP. All ten of them.
 


ASK THE COMMUNITY