Status of Spectre / Meltdown Fixes

Discussion in 'Hardware' started by Steve S, Oct 8, 2019.

  1. Steve S

    Steve S Pen Pro - Senior Member Super Moderator

    Messages:
    7,519
    Likes Received:
    3,031
    Trophy Points:
    331
    Way back when the Spectre / Meltdown exploits first drew attention, Intel (and MSFT) announced that patches would partially fix the vulnerability, but that these patches would / could have a significant impact on processor speed, like ~15% to ~30% for the then current generation of processors. At that time, Intel went on to say that in approximately two generations, CPUs would have on-die hardware fixes to better address the problem and to restore processor speeds.

    But after the initial flurry of attention, things got a little hazy for me and in recent months I’ve started to wonder where we all are in this extended saga. I remember the early (and seemingly unevenly issued) Intel and MSFT patches, but after that...? Did Microsoft finish making patches to Windows? Or is Intel still working the problem in microcode? If the nature of Spectre was such that it could never be completely addressed without a significant change to the hardware architecture, did Intel ever make those changes?

    As I commented in the forums, my Z Canvas (i7-4770HQ) which I think has had very limited patching, continues to match (maybe occasionally exceed) the performance of my ZBook (i7-8650U) which I think is heavily patched. On paper, the performance advantage should be with the 8650.

    So, with all these questions in mind, I decided to turn to another forum member who seemed to be uniquely qualified to comment, @desertlap . To his credit, desertlap generously provided an extensive set of comments over the course of several PMs. The information deserves to be shared with our TPCR membership at large and desertlap has given his permission to do so. The following comments have been slightly edited to improve the flow and for clarity:
    • The last briefing we had on [Spectre / Meltdown status] was in June. At that time Intel and Microsoft said the issues were still being mitigated by microcode and patches to the OS. The way it was explained…was that to completely fix it would require a major redesign of current chip architecture. The analogy they gave was that of a 4-way traffic intersection with traffic lights. The current [patch] mitigations are essentially traffic cops that will attempt to pull you over if you run the light, but [the patches] can’t catch all the ways you could run the light. From an architecture standpoint, the only way [to fix the problem] with current design would be to put ramps that never cross over [e.g., like a highway interchange?]. The issue is that the extra distance travelled would slow everything down considerably. They made a vague statement about a 2022 time frame for a "clean chip". {Thus the idea that Intel could fix the problem in “two generations” was a tremendous underestimation.]
    I then asked desertlap if he could get an update on the status of the performance penalties for having the current microcode and software patches in place...? A few days later, desertlap responded:
    • As to performance hits, here was what we were told [recently, in general.]. It varies somewhat based on OS with Windows taking the biggest hit, MacOS in the middle and various Linux builds being the least affected. Additionally, multicore multithreaded apps…take the biggest [performance] hit compared to simpler apps [that] primarily use one core:

    Windows 5% - 25%
    MacOS 3% - 18%
    Ubuntu Linux 3% - 10%
    As mentioned above, the only real fix for these exploits is a hardware fix. The software fixes are all only band-aids. 2022 is a long way off...
    • Yes; what [Microsoft] told us was that they [focused on] the easiest to [execute] exploits (especially ones that could be executed remotely) [for patches]. The remaining [unpatched (?) exploits]…require local access to the PC in addition to being an order of magnitude more complex to carry out [hence much less important to worry about.] However, they didn't precisely define [what’s been patched and what hasn’t?].
    • A bit of additional information. It is still looking to be a 2022 time frame for a fully fixed chip at the earliest. Our rep didn't name names, but said they had tested some prototype chips and so far, the performance hit would be unacceptable to most users. They also said it's likely that the first "fixed" chips will…be the ones most likely to be used in data center servers, the idea being that vulnerabilities [in data centers] potentially affect potentially a much larger group of users than exploiting an individual PC. They also mentioned that they are still most focused on any exploit that can be executed remotely versus [exploits that require] physical access.
    • [A] couple of interesting things they also said. One was that it was "a constant game of cat and mouse" and even though the biggest vulnerabilities are thought to be known, they continue to find additional ones. The second thing they said gave me a bit of pause which was that additional mitigations for the flaws have been part of patch Tuesdays for at least the last six months. They didn't elaborate though. I usually read the accompanying documentation with those patches and I can recall only one recently that specifically stated it was a Spectre fix.
    • [They] also reminded me that it wasn't just Intel but [also] AMD on the PC side, [and] to a lesser [extent also] ARM chips. Again, not much elaboration [on the details].
    • [Afterwards,] as I was discussing the meeting…with my group , we started coming up with even more questions and concerns. Specifically [regarding] what you've seen, in theory we should see a sliding scale with newer processors. In other words, an older processor would have more mitigations in Windows versus newer processors having more microcode mitigations. In theory the processor-based mitigations should be faster than Windows-based, but we realized we have no idea if that's true.
     
    sonichedgehog360, JoeS and Marty like this.
  2. Marty

    Marty Pen Pro - Senior Member Senior Member

    Messages:
    3,067
    Likes Received:
    2,603
    Trophy Points:
    231
    Thank you for compiling this, Steve.

    Hmm, situation seems murkier than I thought...good thing we have the intrepid @desertlap to cast some light for us. :thumbsup:
     
  3. Steve S

    Steve S Pen Pro - Senior Member Super Moderator

    Messages:
    7,519
    Likes Received:
    3,031
    Trophy Points:
    331
    Wow. This is a really extensive article on Intel, AMD and the security of their respective processors. At the moment, it looks like AMD has the upper hand ( and perhaps another reason why Microsoft is pushing the Pro X so hard - it's inherently more secure)?

    https://www.tomshardware.com/features/intel-amd-most-secure-processors

    (Courtesy of TomsHardware site)
     
  4. Steve S

    Steve S Pen Pro - Senior Member Super Moderator

    Messages:
    7,519
    Likes Received:
    3,031
    Trophy Points:
    331
Loading...
Similar Threads - Status Spectre Meltdown
  1. kurt corbin
    Replies:
    85
    Views:
    3,506
  2. Marty
    Replies:
    6
    Views:
    2,024

Share This Page