IMPORTANT SECURITY UPDATE!

Discussion in 'Sager and Clevo' started by Prema, Nov 30, 2017.

  1. Prema

    Prema Little BIOS Mod

    Reputations:
    6,509
    Messages:
    5,229
    Likes Received:
    11,663
    Trophy Points:
    681
    We have been testing the new Spectre microcodes (SKL, KBL, KBL-R) since the holidays in order to ensure that performance doesn't degrade without also deploying their OS counterparts...

    This is with the new code but without OS patch:

    http://forum.notebookreview.com/threads/clevo-overclockers-lounge.788975/page-1493#post-10658449

    As for TPM fixes. The update procedure is a bit more complicated because if the end user doesn't manually clear existing keys before the update the old vulnerable keys will migrate to the new firmware and get stuck in the TPM for good:

    https://twitter.com/PremaMod/status/934494571857190912
     
    Last edited: Jan 5, 2018
    Ashtrix, ajc9988, Papusan and 5 others like this.
  2. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    3,852
    Messages:
    14,109
    Likes Received:
    16,810
    Trophy Points:
    931
    There are indeed uses where the performance hit's will be higher:

    This is bad: performance hit from PTI on the du -s benchmark on an AMD EPYC 7601 is 49%.
    https://twitter.com/grsecurity/status/947439275460702208

    The more intense the % of use hits the PTI overhead, the worse the performance penalty of an operation overall.

    Of course that Intel only bug won't affect AMD CPU's now that the PTI patch is turned off for Linux. :)

    heads up: Fix for intel hardware bug will lead to performance regressions
    7%-23% transaction performance penalties for Postgres with PTI patch.

    https://www.postgresql.org/message-id/20180102222354.qikjmf7dvnjgbkxe@alap3.anarazel.de

    Initial Benchmarks Of The Performance Impact Resulting From Linux's x86 Security Changes
    https://www.phoronix.com/scan.php?page=article&item=linux-415-x86pti&num=2

    Further Analyzing The Intel CPU "x86 PTI Issue" On More Systems
    https://www.phoronix.com/scan.php?page=article&item=linux-more-x86pti&num=1

    Under real work loads, Guest VM's running PTI patches on top of Hosts running PTI patches with high syscall + interrupt - IO work loads will see greater hits to performance. On heavily subscribed VM servers this could require reducing resource allocations per VM and redistributing loads across more servers - costing $$$.

    It should be interesting to see how this plays out as user VM's are restarted... coming soon. With many overloading Guest VM's / Host server playing on the edge of load, this will likely require pushing off VM's onto other (new) servers.

    "Messing around" with benchmarks on gaming laptops isn't one of the use cases with much impact - interactive performance would be affected more than side by side benchmarks of single threaded non-IO-intensive benchmark or gaming comparisons, so there likely won't be much of a hit on what the typical NBR benchmarker / gamer comes across. :)

    Update: It looks like performance hits against VM's are already been seen now that the instances have been restarted:

    Degraded performance after forced reboot due to AWS instance maintenance
    https://forums.aws.amazon.com/thread.jspa?threadID=269858

    Re: Degraded performance after forced reboot due to AWS instance maintenance
    Posted by: miljesse2 Posted on: Jan 4, 2018 1:58 PM in response to: ajnaware

    It's was around 4 AM (UTC) last night that we started seeing problems. I have 2 c3.large (PV) instances behind an ELB, both of them were peaking at most 50% CPU usage (over 1 hour) at peak hours, now I'm having spikes of 83% (over 1 hour!) so they've been close to 100% many times. The load averages (from 'top') they are reporting have been past 10 multiple times!
    Needles to say they're pretty sluggish to even access.

    Is there going to be any relief? There's no larger instance type for these AMI:s.

    I also have multiple m1.small instances (for development mostly), they're nearly unusable.

    Re: Degraded performance after forced reboot due to AWS instance maintenance
    Posted by: ramj Posted on: Jan 4, 2018 9:08 PM in response to: ajnaware

    We were hit by this issue and saw a 50% spike in some of our i3 nodes. And we can almost see the spikes happen in waves across different AZ's. Maybe they correlate with when the patches we being applied.

    Do we know if AWS is done patching all their nodes, or is there still more to come ?

    Re: Degraded performance after forced reboot due to AWS instance maintenance
    Posted on: Jan 4, 2018 9:30 PM in response to: ramj

    I thought we were the only one to have this issue and trying to fix and re-look at our DB queries, etc.
    Our CPU load has gone up 10 times and hovering at around 100% all the time.

    We have r4.2xlarge - Instance ID : XXXX

    Can Amazon team pls take a look and help us out ?"

    Degraded performance on Amazon Linux instances
    https://forums.aws.amazon.com/thread.jspa?threadID=270729&tstart=0

    Instance high load and SSH console hanging - not created by user processes
    https://forums.aws.amazon.com/thread.jspa?threadID=270635&tstart=0

    r4.2xlarge - Very high CPU usage/load average
    https://forums.aws.amazon.com/thread.jspa?threadID=270766&tstart=0

    This is the catastrophe part for some beginning now...

    Update 2: Ongoing update followups in this thread:
    http://forum.notebookreview.com/thr...up-to-30-percent.812424/page-22#post-10658883
     
    Last edited: Jan 5, 2018
    ajc9988, steberg and Vasudev like this.
  3. Mangix

    Mangix Notebook Enthusiast

    Reputations:
    7
    Messages:
    42
    Likes Received:
    34
    Trophy Points:
    26
    @hmscott PTI is worthless on AMD processors as they are not vulnerable to Meltdown. AMD recently pushed a microcode update that fixes one part of Spectre(it's two related issues).
     
    Vasudev, ajc9988 and hmscott like this.
  4. Midas Touch

    Midas Touch BGA Loving Enthusiast

    Reputations:
    282
    Messages:
    1,111
    Likes Received:
    725
    Trophy Points:
    131
    Wish we have something like this for MSI owners.
     
  5. Prema

    Prema Little BIOS Mod

    Reputations:
    6,509
    Messages:
    5,229
    Likes Received:
    11,663
    Trophy Points:
    681
    Last edited: Jan 7, 2018
    ajc9988, KY_BULLET, Vasudev and 2 others like this.
  6. Ci5co

    Ci5co Newbie

    Reputations:
    0
    Messages:
    4
    Likes Received:
    4
    Trophy Points:
    6
    I have a Clevo P650HS-G with original BIOS Version 1.05.01 (12/02/2016). I'm not receiving any new updates from Clevo anymore. So I was planing to update them using the drivers (no BIOS or unsupported internal components) from the P8xxTMxG.
    I have ME updated to 11.7.0.1045 (03/10/2017) so I'm getting that I have a vulnerable system. Based on the first post, I should update that version to 11.7.0.1058 but there is a newer version already 11.7.0.1065 and I was doubting to which one go.
    I just read in the previous page that your tool automatically check the system and then it should work successfully. But sincerely, I wanted to be sure before proceeding. I read that another user said your tool worked for the "Clevo P651HS-G" but it doesn't say anything about the version of the BIOS.
    Besides, today I received the update from windows KB4056892, so I also i was doubting what to apply first from all the things.

    Thanks for your help and time.

    [​IMG]
     
    Vasudev and hmscott like this.
  7. Prema

    Prema Little BIOS Mod

    Reputations:
    6,509
    Messages:
    5,229
    Likes Received:
    11,663
    Trophy Points:
    681
    The ME driver version doesn't matter in order to update the ME firmware with the patch from the OP.
     
  8. Ci5co

    Ci5co Newbie

    Reputations:
    0
    Messages:
    4
    Likes Received:
    4
    Trophy Points:
    6
    So... I understand I just run your tool. Or Did you mean that I'm completely unable to update?
     
    hmscott and Vasudev like this.
  9. Prema

    Prema Little BIOS Mod

    Reputations:
    6,509
    Messages:
    5,229
    Likes Received:
    11,663
    Trophy Points:
    681
    Just run it! :)
     
    t456, steberg, Ci5co and 3 others like this.
  10. raiden87

    raiden87 Notebook Consultant

    Reputations:
    45
    Messages:
    296
    Likes Received:
    82
    Trophy Points:
    41
    Hi Prema, is there a way to update the new microcode (fixing variant 2 of spectre) to our clevos via ur bios?
     
    hmscott and Vasudev like this.
Loading...

Share This Page