[RndTbl] Horrific CPU flaws (Meltdown / Spectre)

Trevor Cordes trevor at tecnopolis.ca
Thu Jan 4 22:20:25 CST 2018 

Latest news:

- Reading the tech docs by Horn I find it incredibly interesting that
  the "Spectre variant #1" problem is basically the same thing as a
  statistical timing on password validation algorithms, much like PHP
  faced when it decided to write its own constant-time password handling
  routines.  So this really isn't a pipeline leak flaw per se, it's
  using timing of a read to determine if an out-of-bounds read was
  cached or not, to determine inaccessible memory a bit at a time.
  Most of the non-tech articles make it sound like Intel made some
  horrible buggy design choice.  But just as no one thought about
  password compare timing attacks 20 years ago, so no one thought about
  timing attacks on the cache subsystem.  I certainly didn't.  These
  attack vectors are getting insanely smart, and now that the timing
  genie is out of the bottle I expect timing flaws to pop up everywhere.

- Looks like Intel is releasing firmware (and patches) that addresses
  the two (actually, three) issues.  Not sure how much it actually
  addresses, or how it's doing it.  Regardless, looks like Intel's
  fixes will trigger the 5-30% performance hit.  They claim future
  updates will "mitigate that impact" through "improvement" (read:
  optimization).  I, for one, am not buying the feel-good press
  releases that make it sound like one fw update and you can ignore
  this issue.  What Intel is doing/saying directly contradicts numerous
  other "firmware can't fix it" reports elsewhere.

- Intel is only releasing updates for products "introduced within the
  past five years", so far.  My take is you won't see much work on
  stuff older than that.  So there goes a ton of systems I manage -- my
  M.O. is to squeeze extra life out of good ECC boxes.  Also, if all
  this new fw is mobo-targeted, this won't help the vast majority of the
  world who has Taiwan-Inc 3rd party mobos.  They will have to release
  new fw, and my guess is Tier-2 Taiwan-Inc aren't going to go back 5
  years like Intel is.

- Will fw fixes cause OS devs to not double-fix the same problems?
  Methinks Linus et al will not tolerate the hw-vendor mantra of "screw
  those with 5+ year old hw".  A best-case scenario would be OS vendors
  completely working around these flaws (if possible) and Intel (et al)
  working to implement complementary microcode tweaks that reduce the
  performance impact.

- Apparently Google has a "chip-level patch" (i.e. microcode?) that
  vastly reduces the performance hit.  They call it "Retpoline".  Not
  sure how that's going to fit into the equation.

More information about the Roundtable mailing list