Meltdown & Spectre potpourri

I read about this yesterday but was too busy to get around to posting. Some sad humour.

• Bleeping Computer: Multiple OS Vendors Release Security Patches After Misinterpreting Intel Docs

• Tom's Hardware: Intel's Incomplete Documentation Leads To Insecure Debugging Interface (Updated)

This relates to CVE-2018-8897:

• Mitre CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8897
• Microsoft Security TechCenter: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8897

 

• Neowin: Spectre variant 2 mitigation now available for the Windows 10 April 2018 Update
• Microsoft Support: KB4100347: Intel microcode updates
• Windows Update Catalog: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4100347

For those with supported CPUs but can't update the BIOS for their motherboards. Refer to the support page for supported CPUs, of course.

 

"And the hits keep on coming."

This news started rolling out in the last few days.

Mitre CVE: CVE-2018-3639 - Speculative Store Bypass (SSB) - also known as Variant 4

• C|net: Google, Microsoft find another Spectre, Meltdown flaw
• Bleeping Computer: Google and Microsoft Reveal New Spectre Attack
• MacRumors: Intel Discloses New 'Variant 4' Spectre-Like Vulnerability

From the MacRumors article:

Edit: This may or may not be related to a previously disclosed newer vulnerability. I'm losing track at this point.

 

Does this mean more performance hits in I/O for intel?. Already took 18% hit

 

The mitigation added in the firmware update will be defaulted to off. Yes, when enabled it WILL hurt performance. Again. When the mitigation is turned off there is no hit.

 

Also from the MacRumors article:

In essence, if you already have prior Meltdown & Spectre mitigations via BIOS updates and OS updates then it is addressed... mostly. According to Intel. However, they are going to release a full mitigation but since it'll hand everyone yet another performance hit they are making it optional... for now until the other shoe drops.

 

Ars Technica: New speculative-execution vulnerability strikes AMD, ARM, and Intel

At least it's not just Intel. Nonetheless, this is getting old.

 

@DrinkLyeAndDie after Intel and others have completed their analysis of the hardware issues do you think we will be required to get a new computer or will replacement boards be available? Thanks for your vigilance and reporting on this saga.

 

Required? Definitely not. With the bios updates (microcode patches) and the ones in the OS itself your adequately protected. Intel is working on a revised CPU architecture that will have hardwired protection. Just don't know if that's going to be in the 8th gen Core i processors or the 9th.

Sent from my Nexus 6P with Tapatalk

 

This is actually a complicated answer. It's not simply a yes or no question. It depends on the application of the system in question and how dangerous having the vulnerability is on the system. Is it a business machine (ie banking) or simply a home user? Who has more to lose and what will the repercussions be?

I doubt it will happen for numerous reasons but I'd love to see re-designs that protect against such vulnerabilities that would still fit the same socket and be usable in existing motherboards. IOW, I'd like to see a new protected LGA 1151 CPU that can actually be used in my Z170 motherboard. I am currently running a Skylake 6700K which the Z170 is targeted at but if I wanted I could run a Kaby Lake 7700K which is also LGA 1151 but I can't run a Coffee Lake 8700K which is also LGA 1151. I seriously doubt that any redesigns even if they are LGA 1151 will work in older motherboards like the Z170. Thanks, Intel. If I am wrong then I'll be happy and amazed but, wow, will I be shocked. It's the right thing to do but since when does that matter?

 

Thanks for the advice DrinklyeAndDie and Ch3vr0n

 

Haven't seen this discussed elsewhere but I found it interesting. This relates to the AMD Epyc processors.

The Register: Researchers crack open AMD's server VM encryption

 

ThreatPost: Intel’s ‘Virtual Fences’ Spectre Fix Won’t Protect Against Variant 4

 

Lenovo now have a web page about upcoming variant 4 and variant 3a mitigation for their PCs.
https://support.lenovo.com/gb/en/product_security/ps500167

 

Built intel8700k did some 4k tests. Thru-put is 920mb/s read and write on 2 500g blue wd ssd m2 n raid 0. So these patches have no effect on my max hero x and Intel 8700k chip. Glad I went Intel. Fast pc for 4k ripping. I'm in heaven now

 

Phoronix: CVE-2018-3665: Lazy State Save/Restore As The Latest CPU Speculative Execution Issue

The Register: Intel chip flaw: Math unit may spill crypto secrets to apps – modern Linux, Windows, BSDs immune

The Hacker News: New 'Lazy FP State Restore' Vulnerability Found in All Modern Intel CPUs
Mitre CVE: CVE-2018-3665
Bleeping Computer: New Lazy FP State Restore Vulnerability Affects All Intel Core CPUs

 

Fudzilla: Intel warns of lazy FP state restoration

 

Interesting reading. This could definitely make for a brighter future in chip design.

arXiv - Cornell University Library: SafeSpec: Banishing the Spectre of a Meltdown with Leakage-Free Speculation

The Register: Boffins offer to make speculative execution great again with Spectre-Meltdown CPU fix

 

This has been talked about for a few days...

Ars Technica: Hyperthreading under scrutiny with new TLBleed crypto key leak

 

Yet your user name commands us to commit suicide in one of the most horrific ways possible.

Just seemed ironic.