]]>

CPU Vulnerabilities, Meltdown and Spectre, Kernel Page Table Isolation Patches, and more

Discussion in 'Hardware Components and Aftermarket Upgrades' started by hmscott, Jan 2, 2018.

  1. Raiderman

    Raiderman Notebook Evangelist

    Reputations:
    370
    Messages:
    682
    Likes Received:
    1,558
    Trophy Points:
    156
    Wow! Thats a bomb shell! So they were cutting corners when it came to security in order to enhance performance? Ouch!
     
    Last edited by a moderator: Jan 3, 2018
    Huniken, Papusan and ajc9988 like this.
  2. TANWare

    TANWare Just This Side of Senile, I think. Moderator

    Reputations:
    2,186
    Messages:
    8,612
    Likes Received:
    3,369
    Trophy Points:
    431
    For me, and a lot of others, there is no performance issue if there is no security. Now some devices security this may not be an issue and for that the patch is a non issue. For my PC, it definitely is an issue.

    Even if developers placed usage access using higher performance and less secure methods Intel would have been familiar with it for years while not saying a word. This Is familiar tactic of Intel, securing performance advantage over even BullDozer. Most will look at what this does to current offerings and market share where this could have been another oppression of competition.

    Assuming a worst case a 30% drop would mean a 5.2 overclock performing like a 3.66 would today. This would be a major hit to Intel performance but even a 15% hit would make a 5.2 perform like a 4.4 bring the playing field much closer. That being said a 5% hit would hurt but not immediately change the current landscape.
     
    Huniken, Papusan, Dr. AMK and 2 others like this.
  3. bennyg

    bennyg Notebook Deity

    Reputations:
    437
    Messages:
    1,364
    Likes Received:
    696
    Trophy Points:
    131
    And this right here is the downside of proprietary IP. We all have no option but to trust the competence and honesty of mega corporations to invest money and personnel to find embarrassing bugs in products once released...


    This situation is just like what is ironically called "Phase 4 trials" in therapeutics regulation (ironic because clinical trials only have 3 phases): when released onto the market, you have to monitor a drug if it performs as expected or whether some hidden risk of adverse effect exists, because you can't fully trust the approval procedure
     
    Ashtrix, Papusan, Dr. AMK and 2 others like this.
  4. Mr. Fox

    Mr. Fox Undefiled BGA-Hating Elitist

    Reputations:
    20,410
    Messages:
    30,879
    Likes Received:
    40,109
    Trophy Points:
    931
    I think that's a bit of a reach. (OK, a lot of a reach.) But, it's certainly a strategy that the plaintiff vulture attorneys will likely use as they clamor to make a buck off of litigating this thing. The numbers don't lie. Using the same rationale in the opposite direction one could say the performance will be artificially deflated after patching.

    Edit: That is not meant as a personal thing. I know your background. I have good friends that practice law and I regret not following my parental advice as a young man and becoming an attorney when they offered to pay for it. There are good ones and bad ones, just like there are honest auto mechanics and dishonest auto mechanics.
    We are going to have security holes forever and without end. It automatically comes with technology, and as long as there are evil people in the world that want to exploit holes for dishonorable self-serving purposes it is never, ever, going to stop. It just happens to be Intel that got caught with their pants down this time. Honestly, I'm surprised that it took so long. But, I am sure Micro$loth is more than happy to let them take a beating for it. And, I'm 99.9% sure there is probably an equally huge security issue somewhere in AMD architecture that hasn't been discovered. Not because AMD is bad at what they do, or because Intel is bad at what they do... just because there is always something somewhere. Kind of like how Mac OS X and Linux are less secure than Windows, and they have been for years; but, hacker theives are not going waste their time on exploits that represent a single-digit or very low double-digit and statistically irrelevant market share. There's nothing for them to gain by it... too much effort and too little reward for their evil deeds.

    Bingo! That's it. Well said. And, I wonder what kind of tail they are going to pin on the AMD security donkey after the Intel security donkey has been beaten to death, LOL. The notion of security is to computer tech what the notion of the importance of big pharmaceuticals is to the medical science industry... the goose has to keep laying golden eggs squirting golden turds.
     
    Ashtrix, Huniken, Papusan and 2 others like this.
  5. Raiderman

    Raiderman Notebook Evangelist

    Reputations:
    370
    Messages:
    682
    Likes Received:
    1,558
    Trophy Points:
    156
    It could possibly be as AJC says also. That it was done intentionally to stifle competition, and maintain a performance edge over AMD. I trust every major corporation about as much as I do a sitting congressman, but Intel has been caught before, which makes their track record a little less reputable.
     
    Ashtrix, Papusan and ajc9988 like this.
  6. ajc9988

    ajc9988 Death by a thousand paper cuts

    Reputations:
    1,092
    Messages:
    4,526
    Likes Received:
    6,276
    Trophy Points:
    581
    If you design your predictive branch to pre-fetch without waiting for permissions, you are telling it to ignore permissions and grant access, all which give a speed boost when having to do a kernel reference. That SPECIFICALLY is artificially inflating your numbers by disregarding security protocols that you damn well know your competitor is following. That is anti-competitive and that is why this is so bad!

    Right now, I want to see the benchmarks after the fix comparing every AMD and Intel CPU dating back to the first introduction of this into their predictive branch. That is an FTC matter, not a securities matter. What @hmscott mentioned about the stock sales IS a securities matter (stockholders, not computer security).

    This is about to get REAL good!

    What are you talking about? Congressmen have been caught lying all the time. They sleep in the same bed!!! LOL@

    EDIT: Look at congress's approval ratings!
     
    Ashtrix, Papusan, Falkentyne and 2 others like this.
  7. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    4,010
    Messages:
    14,547
    Likes Received:
    17,669
    Trophy Points:
    931
    postgres slowdown due to intel bug workaround.JPG

    heads up: Fix for intel hardware bug will lead to performance regressions

    2018-01-02 22:23:54
    https://www.postgresql.org/message-id/20180102222354.qikjmf7dvnjgbkxe@alap3.anarazel.de
    "Hi,

    Upcoming versions of the linux kernel (and apparently also windows and others), will include new feature that apparently has been implemented with haste to work around an intel hardware bug.

    https://lwn.net/SubscriberLink/741878/eaff7b24627c41a2/

    The fix, split userland / kernel pagetables, is going to be merged in the next version of the linux kernel and is being backported to older point releases. The backports of a complex invasive new feature signals that this concerns a significant issue.

    There's plenty speculation about details about what exactly the vulnerability is. Don't want to go into that here.

    The fix will unfortunately cause performance regressions. Depending on the hardware version and kernel version (will not be backported for every version) hardware features (PCID / ASID) will be used to reduce the impact.

    pti is the workaroud, page table isolation, which can be enabled/disabled via boot parameters. nopcid disables the use of the hardware feature that reduces the impact of workaround. PCID support

    readonly pgbench (tpch-like), 16 clients, i7-6820HQ CPU (skylake):

    pti=off:
    tps = 236629.778328

    pti=on:
    tps = 220791.228297 (~0.93x)

    pti=on, nopcid:
    tps = 198959.801459 (~0.84x)

    To get closer to the worst case, I've also measured:

    pgbench SELECT 1, 16 clients, i7-6820HQ CPU (skylake):

    pti=off:
    tps = 420490.162391

    pti=on:
    tps = 350746.065039 (~0.83x)

    pti=on, nopcid:
    tps = 324269.903152 (~0.77x)

    Note that real-world scenarios probably will see somewhat smaller impact, as this was measured over a loopback unix sockets which'll have smaller overhead itself than proper TCP sockets + actual network.

    The rumor mill has it that details about the vulnerability will be un-embargoed in the next few days.

    Greetings,
    Andres Freund"
     
    ajc9988 and Raiderman like this.
  8. Raiderman

    Raiderman Notebook Evangelist

    Reputations:
    370
    Messages:
    682
    Likes Received:
    1,558
    Trophy Points:
    156
    LOL, quoted from the Register comments...

    Intel has been the Gold standard in processors, turns out it’s Copper Inside(TM).
     
    James D, Ashtrix, KY_BULLET and 3 others like this.
  9. ajc9988

    ajc9988 Death by a thousand paper cuts

    Reputations:
    1,092
    Messages:
    4,526
    Likes Received:
    6,276
    Trophy Points:
    581
    "The fix is to separate the kernel's memory completely from user processes using what's called Kernel Page Table Isolation, or KPTI. At one point, Forcefully Unmap Complete Kernel With Interrupt Trampolines, aka ****WIT, was mulled by the Linux kernel team, giving you an idea of how annoying this has been for the developers."
    https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
     
    alexhawker, Ashtrix, Papusan and 3 others like this.
  10. laserbullet

    laserbullet Notebook Evangelist

    Reputations:
    84
    Messages:
    599
    Likes Received:
    74
    Trophy Points:
    41
    What has me curious is how many future generations this will affect. It wouldn't be surprising if Ice Lake is affected by this.
     
    ajc9988 likes this.
Loading...

Share This Page