Return to Level1Techs.com

Intel FUBAR ... again - Kernel memory leak in nearly every Intel CPU of the last decade (Spectre hits everyone, Meltdown still Intel exclusive)

intel
mega_thread
bug

#1079

@catsay:

Our near term focus is on delivering high quality mitigations to protect our customers infrastructure from these exploits. We’re working to incorporate silicon-based changed to future products that will directly address the Spectre and Meltdown threats in hardware. And those products will begin appearing later this year.

(Gotta wonder if they mean to tackle both at the same time, and whether that is an inclusive ‘and’, but still.
Following on: does this imply ‘more lead time’, does this mean ‘we’ll be fixing the easy stuff this year’, or is this actually possible with them having enough money to throw at the problem?)


#1080

I don’t think that is true. They would have to scrap a full generation and once again rush like crazy to get something launched.


#1081

Well, it depends on what all those bolded words mean – does it mean they’ll be launching something that addresses meltdown as low-hanging fruit, spectre down the road? Does it mean ‘1 consumer part to come this year’? All? Etc.
And it depends on how long they’ve been working on this internally, without acknowledging it…


#1082

That would be around half a year now. :wink:
But you’re right of course, it doesn’t mean anything really. Just blah …

I found this funny:

I’ve assigned some of the very best minds at Intel to work through this and we’re making progress.

The other half of our very best minds works in PR…


#1083

Never underestimate Intel.
They have the budget, knowledge, tech and tooling to do that if they want to.

For all I know intel Skunkworks probably already made a fix to parts of the issue X years ago which then got nixed and mothballed instead,

Like I said somewhere earlier in this thread.

Intel will focus on security like mad-men in-order to come out on top and claim the high-ground.
Loudly claiming once again to have the most secure processors in the world.

And I’m saying this as a long time AMD user.

Intel is an unstoppable technological industrial force if it want’s to be.
They have the majority of the best paid engineers in the microprocessor industry.
And Intel Management will work them to death to save their own asses.


#1084

Intel certainly has a ton of resources. They have really good people, tons of money and their own fabs. I think what they mean with “later this year” is that CPUs will ship with the microcode updates from the factory. But you never know, they might spend a ton of resources and produce something more substantial. It will be interesting for sure. I need more popcorn. And beer, lots of more beer.

Addendum: I get that they probably can fix Meltdown (variant 3) in silicon relatively easy but rather hard/impractical to fix it in microcode (I’ve had some details explained to me, I almost feel smart now lol). Spectre 2 (branch predict) is probably trickier, but maybe they’ll just add a PCID tag in the branch predictor cache? Spectre Variant 1 (bounds check) I have no clue how they would fix in silicon. But I’m far from a CPU designer, just some idiot on the internets.


#1085

They still risk current sales as I am sure most people will hold off buying anything until these ship.

Love that spectre is front and centre in their speech and meltdown is an aside.


#1086

I don’t think most people know about this or care about it. Security is boring and a bother to most people.

All the money spent on marketing agents, well spent right? Probably included speech writing, extra media training etc. I wan’t more beer now.


#1087

Does anyone or @wendell know if the update for windows is enough, or do we need a bios update to safeguard against Meltdown?

I.e. It seems manufacturers are not updating the bios of boards from the last generation, so is this a big hole in our security?


#1088

Yup - you need a CPU microcode update for sure. X99 is exposed last I checked…

Also, FreeBSD hasn’t been patched last I looked and that means FreeNAS too :flushed:


#1089

Well that is the question. Is the microcode in the Windows update? Anyone know?


#1090

It’s too unstable. Eventually it might be. Redhat rolled back their microcode bundle because of side effects on some hardware combinations and Ms is doing the same. So best bet right now is bios or uefi update from hw vendor


#1091

Nothing as of yet , other than os mitigations. Eyes pealed


#1092

Further to @wendell’s advice, manufacturers such as Asus are also providing some info on this (see the graphic in the attached link):

https://www.asus.com/support/FAQ/1035291

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr

That said, we are all in a holding pattern till Intel says otherwise… sorta?


#1093

Assuming your FreeNAS/pfSense box only runs your own trusted code on bare metal hardware this should be of little concern.

If you have VM’s on there being accessed by others, then of course a different security model applies.


#1094

Intel is supplementing that guidance to include two new resources provided today by Microsoft:
For most users – An automatic update available via the Microsoft® Update Catalog which disables ‘Spectre’ variant 2 (CVE 2017-5715) mitigations without a BIOS update. This update supports Windows 7 (SP1), Windows 8.1, and all versions of Windows 10 - client and server

As of 27th Jan
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr

Not very Linux friendly…

Also - they confirm that a new microcode fix is ‘under way’…

Both of these options eliminate the risk of reboot or other unpredictable system behavior associated with the original microcode update and retain mitigations for ‘Spectre’ variant 1 and ‘Meltdown’ variant 3 until new microcode can be loaded on the system.

For those concerned about system stability while we finalize these updated solutions, earlier this week we advised that we were working with our OEM partners to provide BIOS updates using previous versions of microcode not exhibiting these issues, but that also removed the mitigations for ‘Spectre’ variant 2 (CVE 2017-5715)


#1095

Well if the micro code (or whatever the fix is) is ONLY in the BIOS updates, then might be worth covering in The news that some manufacturers aren’t (or at least havent yet) adding bios updates for x99 or earlier motherboards. For example my MSI X99A Raider’s most recent update is from 2016.

I didn’t do a thorough look but many boards that aren’t X299 or Z270 don’t have a patch. I checked MSI and Asus.


#1096

Ooh… Nasdaq is reporting Intel let Chinese companies know before US companies about Meltdown…


#1097

http://www.nasdaq.com/article/report--intel-warned-chinese-companies-of-chip-flaws-before-us-government-20180128-00006

Ouch.


#1098

Rackspace has not implemented the Meltdown kernel patch.

My company works with them (for the time being) and they seem to not care at all about this security hole on their shared hardware.