Meltdown & Spectre potpourri

[DrinkLyeAndDie]

More articles on MeltdownPrime & SpectrePrime

1. Gizmodo: Researchers Find New Ways to Exploit Meltdown and Spectre Vulnerabilities in Modern CPUs

2. Engadget: Researchers discover new ways to abuse Meltdown and Spectre flaws

3. TechRadar: New Meltdown and Spectre exploits have been built, but aren’t in the wild… yet

New Meltdown and Spectre exploits have been built, but aren’t in the wild… yet

[...]

Before we get too carried away with the potential dangers here, it’s important to clarify that no code for these exploits has been released, so there’s no imminent risk. That said, if the good guys have cooked up a successful exploit, the bad guys out there may well be on the brink of doing so as well.

The other positive point is that the current patches underway for Meltdown and Spectre are likely to protect against these (and other potential) exploits. Of course, we’re still waiting for an official patch from Intel, with only Skylake machines having received a revamped Spectre patch (following stability issues with the previous fix) last week.

What’s more worrying, however, is that the researchers suggest that processor manufacturers might be in trouble when it comes to making hardware changes to try to guarantee immunity from these flaws going forward.

In other words, these issues are so deeply embedded in the silicon of contemporary processors, that getting rid of them completely – and covering all bases of all potential exploits therein – may be extremely difficult.

[...]

 

[DrinkLyeAndDie]

Tom's Hardware: Intel Completes Spectre Fixes For Skylake, Kaby Lake, And Coffee Lake CPUs

It’s been another week, and Intel has another update on its buggy Spectre microcode patch for us. And it’s good news, because Intel has completed the fixed version of its patch for 6th-gen (Skylake, 100 series chipsets), 7th-gen (Kaby Lake, 200 series chipsets), and 8th-gen (Coffee Lake, 300 series chipsets) CPUs. This includes Skylake-X and Kaby Lake-X (X299 chipset) CPUs, as well. Intel has updated its microcode update schedule accordingly. A previous version of this document leaked some details on two of the company’s next-generation Cannon Lake CPUs, which apparently also need microcode fixes for Spectre.

[...]

 

[DrinkLyeAndDie]

The Register: Spectre haunts Intel's SGX defense: CPU flaws can be exploited to snoop on enclaves

Thinking about Spectre & Meltdown and how they impact SGX is not new. But, there is a little more discussion on the implications, mitigations, and what is to come.

[...]

The speculative execution flaws revealed in January, however, jeopardize SGX's security boundaries, as demonstrated in the video below. As is to be expected, exploiting the chip-level vulnerabilities requires local access: a miscreant must be able to log in, or malware must be running in order to leverage the design blunder to attack an SGX enclave.

The researchers – professors Yinqian Zhang, Zhiqiang Lin, and Ten Lai, plus students Guoxing Chen, Sanchuan Chen, and Yuan Xiao – hail from Ohio State University in the USA. They've dubbed their enclave-sniffing technique SgxPectre, and noted on GitHub: “Similar to their non-SGX counterparts, SgxPectre attacks exploit the race condition between the injected, speculatively executed memory references and the latency of the branch resolution.”

[...]

Enclave code built using the Intel SGX SDK, Rust-SGX, Graphene-SGX, or similar runtime libraries, are vulnerable, we're told. These development kits include code patterns that can be exploited via SgxPectre to work out what lies within an enclave's secret memory.

[...]

There is a fix: Intel's microcode update that introduced indirect branch restricted speculation (IBRS), which flushes the branch prediction history at the enclave boundary.

However, an evil sysadmin at, for example, a cloud provider could revert the patch, and “there is no means for the enclave code to reliably detect if IBRS is enabled.” This means enclave code running on a remote cloud machine can be snooped on by BOFHs, when the whole point of SGX is to securely run code on a faraway box.

The other microcode mitigations, Single Thread Indirect Branch Predictors (STIBP), and Indirect Branch Predictor Barrier (IBPB), have the same problem, that they mitigate speculative execution, but the enclave can't detect whether or not they're present. Thus, these defenses can be removed from a remote machine, defeating the purpose of the technology.

The Reptoline software-only mitigations don't protect SGX against SgxPectre, the researchers said. Intel is aware of their work, we're told.

[...]

 

[Ch3vr0n]

SGX, hmm. UHD support on z170 spectre vulnerable systems?

 

[DrinkLyeAndDie]

DISCLAIMER: If you don't know what you are doing then stop reading. I take zero responsibility for people blindly doing things and possibly having issues.

Hmmm...

Betanews: Microsoft details steps being taken to address Spectre and Meltdown vulnerabilities

[...]

John Cable, Director of Program Management, Windows Servicing and Delivery, explains that Windows devices need both software and firmware updates in order to protect them against the Spectre and Meltdown vulnerabilities, and Microsoft is working to provide updates for all supported Windows editions. You can check the situation here.

Cable also says that while "firmware (microcode) security updates are not yet broadly available, Intel recently announced that they have completed their validations and started to release microcode for newer CPU platforms." Starting today, Microsoft will begin to make Intel microcode updates for some Skylake devices available for the Windows 10 Fall Creators Update (the most broadly installed version of Windows 10). These are available through the Microsoft Update Catalog, KB4090007.

Further Intel microcode updates will be released as and when they become available. Microsoft says it will "continue to work with chipset and device makers as they offer more vulnerability mitigations."

It also advises Windows 10 users to update their systems to the Fall Creators Update, if they haven’t already done so.

I really need more details and info on this. It's a manual download. I won't be blindly jumping on board. I'd rather wait on ASUS to release a newer BIOS update.

 

[Ch3vr0n]

right, aint jumpin the gun this time. I'll wait a few weeks until that update hits my system AND a new bios is available.

 

[DrinkLyeAndDie]

DISCLAIMER: If you don't know what you are doing then stop reading. I take zero responsibility for people blindly doing things and possibly having issues.

This is a far better article that answers a questions that I had.

Ars Technica:

Intel’s latest set of Spectre microcode fixes is coming to a Windows update
Windows users will no longer be beholden to their motherboard makers.

[...]

Microcode updates have two main distribution channels. The first is system firmware; the firmware can update the processor during system boot. The value this has is that it's independent of the operating system, and it ensures that the system is always using the current microcode when it's in use. The downside is that many vendors do not provide firmware updates for systems more than a few years old, and even when firmware updates are available, they typically need to be manually hunted down and installed.

The second route to distribution is through the operating system installing new microcode. Windows has microcode drivers for Intel and AMD processors and will update their microcode when it starts up. These drivers are periodically updated to include the latest microcodes. For reasons that aren't entirely clear, Microsoft hasn't been offering the latest Intel microcode updates through its driver, leaving the firmware the only option.

[...]

I was not aware of the second distribution channel for microcode updates via the OS.

 

[gereral1]

Spying on enclaves...... lol

I'm building new pc in 3 weeks. Not sure if I should hold out tell things calm down

 

[DrinkLyeAndDie]

DISCLAIMER: If you don't know what you are doing then stop reading. I take zero responsibility for people blindly doing things and possibly having issues.

KB4090007 is confusingly named in the Windows Catalog: Cumulative Update for Windows 10 Version 1709 for x64-based Systems (KB4090007). The knowledge base info on Microsoft Support show it as KB4090007: Intel microcode updates. The Windows Catalog entry name is vague and the KB entry is explicit.

On the plus side KB4090007 can be uninstalled.

Install Resources:

Restart behavior: Can request restart
May request user input: No
Must be installed exclusively: No
Requires network connectivity: No
Uninstall Notes:
This software update can be removed by selecting View installed updates in the Programs and Features Control Panel.
Uninstall Steps: n/a

 

[DrinkLyeAndDie]

PC World: Intel quietly releases Spectre fixes for Haswell and Broadwell CPUs

The fixed Spectre fixes are coming fast and furious now. Intel quietly pushed CPU firmware updates out for Haswell (4th-generation) and Broadwell (5th-generation) processors earlier this week, following in the footsteps of recent microcode patches for Skylake (6th-gen), Kaby Lake (7th-gen), and Coffee Lake (8th-gen) processors.

The Broadwell and Haswell patches were designated as “in production” in Intel’s recent microcode update guidance, as Tom’s Hardware first noticed. Intel did not publish a blog post heralding their release. The company’s roadmap shows that it plans to issue fixes for processors all the way back to the decade-old Nehalem and Penryn generations.

[...]

Don’t expect to see the updates immediately. They need to trickle down through hardware suppliers like Dell, HP, Lenovo, and Asus in the form of motherboard BIOS updates; you can’t grab it directly from Intel. If you own a laptop or prebuilt PC from a major manufacturer, keep an eye out for an available update. It’s trickier if you built your own PC, so we published a guide on how to find Spectre CPU fixes for DIY computers.

Be warned: The Spectre CPU firmware updates will affect your PC’s performance, though it varies wildly depending on your hardware, operating system, and tasks at hand. In general, expect processors older than Skylake to suffer a larger performance hit, especially if you’re on Windows 7 or 8. We’ve tested the Spectre fix’s performance impact on a newer Surface Bookas well as a 5th-gen Broadwell laptop. We’ve also explained how to test how much Spectre and Meltdown hurt your PC’s performance, since it differs so much from system to system.

[...]

 

[DrinkLyeAndDie]

ded to take the plunge and give Microsoft's KB4090007 CPU microcode update a shot. I still have not insalled the ASUS BIOS update for my motherboard so the differences in these benchmarks is all about KB4090007.

Before installing KB4090007: Note that the pre-update results date back to January 8, 2018.

Drive C (boot drive)

Sequential (MB/s) Read/Write:

542 / 512

Random (IOPS) Read/Write:

86,838 / 76,892

Drive P

Sequential (MB/s) Read/Write:

551 / 523

Random (IOPS) Read/Write:

93,854 / 77,524

After installing KB4090007: 2018-03-08

Drive C (boot drive)

Sequential (MB/s) Read/Write:

542 / 509

Random (IOPS) Read/Write:

52,001 / 45,898

Drive P

Sequential (MB/s) Read/Write:

552 / 522

Random (IOPS) Read/Write:

53,466 / 47,119

Summation: IOPS took a noticeable hit as has been predicted/expected from mitigations since all of this began.

Deci

 

[Ch3vr0n]

Hah now you're seeing the numbers i am

 

[DrinkLyeAndDie]

Btw, GRC has continued to update InSpectre with the latest version being released March 7, 2018: https://www.grc.com/inspectre.htm

• Release #7 — Added the display of the system's CPUID . . .
  Microsoft will be making Intel (and perhaps AMD?) processor microcode patches available for the most persistent Spectre Variant 2 vulnerability. These will become available over time as they become available from Intel and they will apparently need to be manually installed by interested Windows users. It is not yet clear whether Microsoft will be willing or interested in making these patches available for earlier versions of its Windows operating systems, but we can hope.
  
  The patches are applicable to specific CPU models only, which are identified by each chip's “CPUID.” For this reason, InSpectre now prominently displays the system's processor CPUID at the top of its system summary.
  
  Please check this page on Microsoft's website to see whether a microcode patch for your CPU, determined by its CPUID, is available at any time:
  
  KB4090007: Intel microcode updates
  
  You can also use your favorite Internet search engine to search for the string “KB4090007” which should always take to that page and to its related Microsoft Update Catalog page to obtain the specific Windows update.

 

[DrinkLyeAndDie]

Hah now you're seeing the numbers i am

True. Although I can uninstall the Microsoft update a lot easier than you can downgrade your BIOS.

 

[Ch3vr0n]

I'm actually thinking of getting myself a PCI-E SSD for CloneBD processing. Should be faster than a normal one to counteract that IOPS drop. The only question i have, is do i have enough "free" lanes. I know the non X-Series (standard k/non-k) versions have a significant lower number of lanes available. With our shared MB, maybe you can answer that. ALL 8 of the sata ports are occupied. When i first built the system i was informed that i couldn't use an M.2 drive because of the "shared" lanes with the first 2 sata ports (somethin about sata-express i think in the manual).

would this affect pci-e lanes from a pci-e socket too? (i'm specifically thinking about getting an m.2 drive in a pci-e adapter, or at worst a straight up PCI-E ssd)

 

[DrinkLyeAndDie]

I'm actually thinking of getting myself a PCI-E SSD for CloneBD processing. Should be faster than a normal one to counteract that IOPS drop. The only question i have, is do i have enough "free" lanes. I know the non X-Series (standard k/non-k) versions have a significant lower number of lanes available. With our shared MB, maybe you can answer that. ALL 8 of the sata ports are occupied. When i first built the system i was informed that i couldn't use an M.2 drive because of the "shared" lanes with the first 2 sata ports (somethin about sata-express i think in the manual).

would this affect pci-e lanes from a pci-e socket too? (i'm specifically thinking about getting an m.2 drive in a pci-e adapter, or at worst a straight up PCI-E ssd)

Doing a super quick search the i7 6700K supports 16 PCI-E lanes (https://ark.intel.com/products/88195/Intel-Core-i7-6700K-Processor-8M-Cache-up-to-4_20-GHz?q=6700k). Z170 supports 20 PCI-E lanes (https://ark.intel.com/products/90591/Intel-GL82Z170-PCH).

I definitely can't answer the specifics of the question because I really haven't looked into any of the PCI-e SSD, M.2, Optane, etc stuff. That type of storage is still not in my gameplan at the present time. I do believe your mobo will be similar, as you noted, that in order to use the M.2 then you can't use the SATA Express ports. I believe that's how it works.

 

[Ch3vr0n]

That I can't use the sata-e ones is no biggy. Just want to know if an (m.2) ssd via pci-e slot itself will work.

Sent from my Nexus 7 with Tapatalk

 

[DrinkLyeAndDie]

For the heck of it I disabled the Microsoft Spectre protection via InSpectre to benchmark my boot drive just to see the difference.

Drive C (boot drive)

Sequential (MB/s) Read/Write:

543/ 510

Random (IOPS) Read/Write:

80,810 / 69,335

Just a slight difference in IOPS.

 

[DrinkLyeAndDie]

That I can't use the sata-e ones is no biggy. Just want to know if an (m.2) ssd via pci-e slot itself will work.

That one you'll have to do some research on. Above my pay grade and I have absolutely no idea. Obviously, you will have to take into account which slot you will place the drive into which may impact other PCI-e slot speeds, etc. Too much research for my brain and right now and I wouldn't retain even a fraction of the information if I read it.

 

[gereral1]

I see Intel getting slammed, wonder if AMD is getting hard drive hits as well. I've got 2600 bucks in my hand and ready to build pc. Still sitting on the fence.