Meltdown/Spectre patch clarification please

BogdanH

Member
Feb 20, 2011
33
2
66
Hello,
There are tons of articles about Meltdown/Spectre issue and about upcoming solutions. As far I understand, it's a CPU (by design) flaw, still it seems "everyone" is working on solution: CPU makers, MB makers, OS makers, Browser makers, etc. And here my confusion starts:
Do we need to apply patches for all hardware and software we use?? I mean, I would assume, that patch for BIOS and OS would be enough to be protected. Now I see Firefox's latest update included patch for Meltdown!? I mean.. it's just a browser, sitting on top of OS (which is already patched). But, if browser need to be patched, what about other stuff we maybe use?
And at the end, after all necessary patches are installed, how will that impact performance? To my eyes it will be like all software is running on CPU emulation.
I hope my writing makes sense to you... To sumarize: how many patches do we need?
 

mikeymikec

Lifer
May 19, 2011
17,575
9,266
136
This is not my field of expertise, but AFAIK a CPU microcode update is the best bet for fixing this problem. I expect it to be delivered via an OS update. I don't know whether it can be delivered with a BIOS update. Another possibility might be that an OS update that fixes the OS scheduler to work around the issue, as modern operating systems take into account the quirks of various CPUs in order to send instructions to them in an optimal manner.
 

jkauff

Senior member
Oct 4, 2012
583
13
81
As I understand it, the CPU microcode must be updated via BIOS. Changes to the kernel code are done in the OS. Apparently it was recently discovered that GPUs are also vulnerable and require driver/firmware patches. My guess is that Firefox is trying to prevent malicious websites from delivering the exploits to your system.
 

el etro

Golden Member
Jul 21, 2013
1,581
14
81
Meltdown fix will only melt Intel performance in the datacenter. Performance loss in Desktop/Mobile/Datacenter/Notebook markets of all processors is neglible to none in most cases.

Meltdown will only melt Xeon and nothing more. If gaming only is what you want, go ahead and buy a Xeon.
 

Roland00Address

Platinum Member
Dec 17, 2008
2,196
260
126
To my understanding (I have not done much research into this, so please more informed people confirmed or correct this.)

Meltdown requires code to be actually on your computer and thus one of two things must happen.

1) You are running an infected program, virus, etc.

2) It can be done via javascript, aka any internet webpage without the user's permission (ad blockers, no script, etc can fix this), and the javascript is a specific type that runs on your computer as a program, but this is enough to do meltdown.

To my understanding it was Mozilla makers of Firefox that figured out #2. #1 is still a problem for desktop, laptop, mobile users but honestly if the code is already on your computer with an infected program, virus, etc you already have problems. #1 though for datacenter and server is a really big deal.

Since Mozilla found #2, I am guessing their firefox patch fix is only going to fix running the javascript in the browser aka #2. If so this will not fix Meltdown but it is a harm reduction measure and you still need the micro code, bios update, os update, etc.
 

BogdanH

Member
Feb 20, 2011
33
2
66
Thank you for all replays.
At least in my view, there are still too many guesses and speculations what exactly needs to be patched. And those who know (CPU maker) aren't very talkative. CPU, BIOS, OS, browser, GPU (maybe).. eMail client?.. drivers?
Most solutions given so far, look more like experimenting.. patch for Windows (which doesn't work for AMD CPU's), there's patch for Asus BIOS (which is signed beta -for my MoBo)...
Thank you again for your thoughts.
 

Markfw

Moderator Emeritus, Elite Member
May 16, 2002
25,478
14,434
136
Almost any Intel CPU in the last 20 years needs BIOS patches and Window patches for Meltdown and Spectre, meltdown being the bad one.. The Firefox update ? I don't know why on that.

AMD only needs patches for Spectre, as it does not have the same problem as Intel for Meltdown. Spectre is way less of a performance hit, and harder to use as a hacker.
 
  • Like
Reactions: jrphoenix

mikeymikec

Lifer
May 19, 2011
17,575
9,266
136
Surely it must be possible to do microcode updates from the OS? If you can flash a BIOS from Windows, then a microcode update could be done as well?

I just can't imagine how many PCs won't get the microcode update because frankly most PCs don't see a BIOS update from the moment they leave the factory.
 

bononos

Diamond Member
Aug 21, 2011
3,883
142
106
Meltdown fix will only melt Intel performance in the datacenter. Performance loss in Desktop/Mobile/Datacenter/Notebook markets of all processors is neglible to none in most cases.

Meltdown will only melt Xeon and nothing more. If gaming only is what you want, go ahead and buy a Xeon.
All of what you said is inaccurate or wrong. Meltdown and Spectre bios+os patches will affect peformance for normal users as well. The benchmarks from computerbase shows a big hit in disk and gaming performance.
https://www.computerbase.de/2018-01/meltdown-spectre-amd-intel-benchmarks/
 

dlerious

Golden Member
Mar 4, 2004
1,769
717
136

bononos

Diamond Member
Aug 21, 2011
3,883
142
106
.......
Do we need to apply patches for all hardware and software we use?? I mean, I would assume, that patch for BIOS and OS would be enough to be protected. Now I see Firefox's latest update included patch for Meltdown!? I mean.. it's just a browser, sitting on top of OS (which is already patched). But, if browser need to be patched, what about other stuff we maybe use?......

Almost any Intel CPU in the last 20 years needs BIOS patches and Window patches for Meltdown and Spectre, meltdown being the bad one.. The Firefox update ? I don't know why on that.

AMD only needs patches for Spectre, as it does not have the same problem as Intel for Meltdown. Spectre is way less of a performance hit, and harder to use as a hacker.

For Intel/AMD pc's running Linux/Windows, this is what I understand about Meltdown/Spectre situation:
The Meltdown fix (Kernel Page Table Isolation on Linux, VA Shadowing on Windows) requires only an OS patch and fixes have been released.
The Spectre variant 1 (Bounds Check Bypass) needs an OS patch to fix but the patches haven't come yet at this time.
The Spectre variant 2 (Branch Target Injection) needs a bios+OS patch and they have been released. Older motherboards which are out of support will probably not receive fixes from the manufacturers.

Browser fixes only protect the user while using the patched browser and not from trojans etc. Chrome is only releasing its fix on Jan23.
http://news.softpedia.com/news/goog...nd-spectre-patches-on-january-23-519245.shtml
https://overclock3d.net/news/cpu_mainboard/amd_releases_response_to_meltdown_and_spectre_exploits/1
 

bononos

Diamond Member
Aug 21, 2011
3,883
142
106
I'm not seeing that in their AMD charts. There's not much of a drop in SSD performance and games are faster (within margin of error) with Win10 + patch.
AMD said their cpus are largely unaffected by the exploits and their patches will only have negligible impact on performance.
Intel otoh is a different story.
 

Markfw

Moderator Emeritus, Elite Member
May 16, 2002
25,478
14,434
136
For Intel/AMD pc's running Linux/Windows, this is what I understand about Meltdown/Spectre situation:
The Meltdown fix (Kernel Page Table Isolation on Linux, VA Shadowing on Windows) requires only an OS patch and fixes have been released.
The Spectre variant 1 (Bounds Check Bypass) needs an OS patch to fix but the patches haven't come yet at this time.
The Spectre variant 2 (Branch Target Injection) needs a bios+OS patch and they have been released. Older motherboards which are out of support will probably not receive fixes from the manufacturers.

Browser fixes only protect the user while using the patched browser and not from trojans etc. Chrome is only releasing its fix on Jan23.
http://news.softpedia.com/news/goog...nd-spectre-patches-on-january-23-519245.shtml
https://overclock3d.net/news/cpu_mainboard/amd_releases_response_to_meltdown_and_spectre_exploits/1
You are missing the big picture. Meltdown is the big problem, and the solution has a big performance hit.

ONLY INTEL HAS THE MELTDOWN PROBLEM.

Spectre is another story. Yes, there are 2 variants. But both are very hard to implement(as in exploit), and both have little performance hit for the fix.
 

imported_ats

Senior member
Mar 21, 2008
422
63
86
Almost any Intel CPU in the last 20 years needs BIOS patches and Window patches for Meltdown and Spectre, meltdown being the bad one.. The Firefox update ? I don't know why on that.

All browsers are updating with mitigation patches against JS exploitation of Spectre/Meltdown exploits. The content of these patches is basically massive increases to the best case timer granularity along with making setting up the attacks more difficult by disabling various call functions. Both things that make exploitation of the various exploits via JS much more difficult.
 
  • Like
Reactions: coercitiv

imported_ats

Senior member
Mar 21, 2008
422
63
86
You are missing the big picture. Meltdown is the big problem, and the solution has a big performance hit.

ONLY INTEL HAS THE MELTDOWN PROBLEM.

This is categorically false. Literally the only modern OOO processor that apparently isn't susceptible to meltdown is Zen because of a power saving feature (aka literally no one figured out the issue before it went through Project Zero). Power? Meltdown. Sparc? Meltdown. AMD processors not Zen based? Meltdown. MIPS? Meltdown. ARM? Meltdown. Alpha? Meltdown. PA Risc? Meltdown.

And no, the actual fixes being implemented for Spectre are not minor performance impacts, they can be rather significant.
 

coercitiv

Diamond Member
Jan 24, 2014
6,151
11,684
136
All browsers are updating with mitigation patches against JS exploitation of Spectre/Meltdown exploits. The content of these patches is basically massive increases to the best case timer granularity along with making setting up the attacks more difficult by disabling various call functions. Both things that make exploitation of the various exploits via JS much more difficult.
In plain Joe speak, what we're witnessing with the multiple patches to browsers, drivers and other software is a layered defense system with the purpose of getting the best protection possible, even for systems that may not receive proper OS and firmware patches.

It makes sense to protect starting from the surface level since it will take many years until vulnerable machines dissappear from the ecosystem.
 
Last edited:

nurfe

Junior Member
Jan 15, 2018
2
1
16
This is categorically false

Hi,

is there a new source proving or detailing that and how AMD is affected by Meltdown? I'm only aware of the original paper and of the kernel mailing list discussion, and both are closer to Markfw's statements than to yours. You however said that he is "categorically false", therefore my curiosity.

Thanks!
 

imported_ats

Senior member
Mar 21, 2008
422
63
86
In plain Joe speak, what we're witnessing with the multiple patches to browsers, drivers and other software is a layered defense system with the purpose of getting the best protection possible, even for systems that may not receive proper OS and firmware patches.

It makes sense to protect starting from the surface level since it will take many years until vulnerable machines dissappear from the ecosystem.

Its not just layered defense. Any application that can run 3rd party code is at risk of Spectre based attacks from said code so long as that code can do simple things like get timings for code sections, etc. Bios/OS patches aren't sufficient to prevent that. It requires any potentially affected program to provide its own mitigation. Basically, at every level that a "program" can potentially run another "program", mitigation is required. Where "program" is basically a catch all for OS and applications. Browsers are more critical than most applications because they tend to run rather arbitrary (and in most cases) unsourced and uncontrolled code via JS.

Spectre is pretty brutal because it is going to require fixes all over the place to mitigate the damage. Browsers are just the start. There are a large number of applications out there that have rather generous plug in architectures that are currently vulnerable to Spectre based attacks.
 

coercitiv

Diamond Member
Jan 24, 2014
6,151
11,684
136
Its not just layered defense. Any application that can run 3rd party code is at risk of Spectre based attacks from said code so long as that code can do simple things like get timings for code sections, etc. Bios/OS patches aren't sufficient to prevent that.
I doubt that, if BIOS/OS level is not enough, then any malicious code inside their VM can compromise the entire machine. Either the BIOS/OS patches are necessary and enough, or there is no fix for this and it all depends on the security of the software you are running.
 

Dribble

Platinum Member
Aug 9, 2005
2,076
611
136
Spectre is pretty brutal because it is going to require fixes all over the place to mitigate the damage. Browsers are just the start. There are a large number of applications out there that have rather generous plug in architectures that are currently vulnerable to Spectre based attacks.
Spectre's biggest issue is that it got stuck on the same slide as meltdown despite having nothing to do with it. I bet had it been discovered alone then some minor tweaks to make it a bit harder would have been done and the rest would have got swept under the carpet . As it is the browser makers are going draconian to try prevent it, thing is you can't really stop it you can just make it harder. So they make the timing 4 times less accurate meaning anyone writing a perfectly sensible js app that needed accurate timing is a bit stuffed. They put back all the shared memory stuff to allow better multithreading on js - something pretty important now js is the app not some installed plugin (which no longer work in browsers to improve security).

If web apps were a runner in the Olympics then we've now shortened his legs and broke both his arms just in-case he wanted to have a go at the high jump or shot put. Obviously he's now a pretty terrible runner as well, but at least he won't be high jumping or shot putting.
 

Topweasel

Diamond Member
Oct 19, 2000
5,436
1,654
136
Hi,

is there a new source proving or detailing that and how AMD is affected by Meltdown? I'm only aware of the original paper and of the kernel mailing list discussion, and both are closer to Markfw's statements than to yours. You however said that he is "categorically false", therefore my curiosity.

Thanks!

AMD is not susceptible to Meltdown.

I have posted this before but the gist is this.

Spectre #1. All OoO CPU's are susceptible. All CPU's will need patches and microcode updates if and when they can fix this. This is more of an avenue of exploit than an actual Exploit and the data security issues are minimal.

Spectre #2. All OoO CPU's are susceptible. Most Intel CPU's are universally be able to be attacked the same way. The security issues with this are a little higher but most other CPU's including and especially AMD require each attack to be written specifically for each arch and the potential with their CPU's to get useful information is relatively small as you have to know exactly what the memory address is for the data you are trying to receive (this is why it's near zer). Right now most Spectre patches including ones for AMD are for this.

Meltdown. Only specific archs. This one is the biggest security issue. The archs that are susceptible are so because they ignore security confirmations that other archs are handling fine. A few ARM archs and pretty much every OoO Intel CPU is susceptible. This one can't really be fixed in micro-code, so the OS has to do a lot of work to shield data from this avenue of attack and that adds a decent amount of work. Still mostly only IO work is affected which is felt on the server end. AMD is not susceptible to Meltdown.
 
  • Like
Reactions: IEC

rchunter

Senior member
Feb 26, 2015
933
72
91
I'm thankful most of my boards are due to get bios updates. Except for maybe my Asus X58 board probably won't get it. Will probably have to end up running a hacked bios with that board...
 

Nimrael

Junior Member
Jan 15, 2018
8
1
1
Hello,
There are tons of articles about Meltdown/Spectre issue and about upcoming solutions. As far I understand, it's a CPU (by design) flaw, still it seems "everyone" is working on solution: CPU makers, MB makers, OS makers, Browser makers, etc. And here my confusion starts:
Do we need to apply patches for all hardware and software we use?? I mean, I would assume, that patch for BIOS and OS would be enough to be protected. Now I see Firefox's latest update included patch for Meltdown!? I mean.. it's just a browser, sitting on top of OS (which is already patched). But, if browser need to be patched, what about other stuff we maybe use?
And at the end, after all necessary patches are installed, how will that impact performance? To my eyes it will be like all software is running on CPU emulation.
I hope my writing makes sense to you... To sumarize: how many patches do we need?
Well, the matter of the Spectre/Meltdown is that running locally under the GUEST ACCOUNT malware can get through the flaws ( unauthorized access via speculative execution to the restricted areas of memory pools of other guest accounts or asdmin account) to the memory pools of other users. So, if You are the only account user on Your PC You shouldn't bother about the all three attacks - if Your system will get a malware/virus that will be able to run itself on Your OS - it will have a full memory access to whole Your memory pool without need to exploit these flaws. in other words - these flaws are ONLY affect the computers with the many users, where some users run under the limited/guest accounts - this include different hostings, clouds, datacentres. but, in fact not affect any home PC.
 

Nimrael

Junior Member
Jan 15, 2018
8
1
1
Meltdown. Only specific archs. This one is the biggest security issue. The archs that are susceptible are so because they ignore security confirmations that other archs are handling fine..
Not accurate.
In fact AMD archs also do not bother to check if the speculatively executed memory access request is valid. You can read it in meltdownattack site's document in p.6.4. Threre is a theoretical possibility to configure the attack that way that leakage can be performed also on AMD's archs by one or other way. But in fact AMD's server share in so low, that attacks on AMD hardware is near zero chances.
 

Dribble

Platinum Member
Aug 9, 2005
2,076
611
136
in other words - these flaws are ONLY affect the computers with the many users, where some users run under the limited/guest accounts - this include different hostings, clouds, datacentres. but, in fact not affect any home PC.
Web browsers apps are exactly that - you run the apps in a sandbox with strictly controlled access. People are always going to dodgy web sites and hence running dodgy browser apps - if they can break out of the sandbox using one of these flaws then they can take over their machine. Hence yes it can effect home users.
 
  • Like
Reactions: IEC and scannall