Meltdown/Spectre

[dcrdev 251]

What are peoples opinions of the Spectre / Meltdown vulnerabilities recently discovered in recent Intel architectures? I'm more than a bit hacked off as the fix within the Linux kernel is said to decrease performance under heavy i/o by up to 30%. I don't know about Windows, but I think I read somewhere that the patches landed yesterday - is anyone feeling the effects yet?

 

The Linux fix is called KPTI (or Kernel page-table isolation) and is said to predominantly affect database performance and virtualisation - both things I use day-to-day. KPTI was merged into the mainline kernel yesterday and is expected to roll out to Fedora (my desktop os) within the next few hours and RHEL (my server os) within the coming days.

 

Although the performance hit is said to be offset somewhat if you have a modern CPU with support for PCID (Process-Context Identifiers) and that's what early benchmarks seems to suggest:

https://www.phoronix.com/scan.php?page=article&item=linux-kpti-pcid&num=2

 

What are people's thoughts?

Edited January 5, 2018 by dcrdev

[Luke 37232]

It's bad but there's no choice. Hopefully as new chips come out without the vulnerability, the OS's will be smart enough to disable the workaround.

[Tur0k 143]

Last I read, Meltdown (the more serious vulnerability of the two) holds the greatest danger. It is specific to Intel chips. AMD chips have an architectural design that protects them from the vulnerability. It seems suspicious that manufacturers are fixing this with a software solution and not with a hardware firmware fix. The patch in M$ is still forthcoming. Linux builds will blanket apply the fix to all systems regardless of CPU manufacturer.

 

The Spectre vulnerability is evident in Intel, AMD, and ARM. It is tied to foundational X86 architecture. It is supposedly less of a vulnerability than meltdown. I have not heard what if anything AMD or ARM are doing to mitigate.

 

I use Intel, AMD, and ARM based equipment in my environment at home and have gripes about all but they do the job they need to. Currently, my priority is my primary firewall is running on a 5th gen i5. I am looking forward to applying the fix as soon as it becomes available on BSD. Currently, my load on that server is between 2 and 8 percent. I don't know that I would mind the 30% increase.

 

My Emby server is running an AMD 1090T (circa 2010). I moderately overclocked it years ago and it is still just chugging away. I am planning on waiting to see how the M$ patch works out. I don't know that the server would run well if it lost 30% of the CPU's resources to overhead. If that is the case I will likely look into a Linux build that doesn't include the Linux meltdown patch (as I am running an AMD, and the patch will blanket apply across all builds regardless of CPU manufacturer). I have been planning on upgrading my system once RAM prices drop back down and the new line of Ryzen CPUs drops in Q2 2018.

 

Sent from my iPhone using Tapatalk

Edited January 5, 2018 by Tur0k

[dcrdev 251]

Last I read, Meltdown (the more serious vulnerability of the two) holds the greatest danger. It is specific to Intel chips. AMD chips have an architectural design that protects them from the vulnerability. The patch in M$ is still forthcoming. Linux builds will blanket apply the fix to all systems regardless of CPU manufacturer.

 

The Spectre vulnerability is evident in Intel, AMD, and ARM. It is tied to foundational X86 architecture. It is supposedly less of a vulnerability than meltdown. I have not heard what if anything AMD or ARM are doing to mitigate.

 

 

Sent from my iPhone using Tapatalk

 

 

There's a fix now in mainline that does disable KPTI for AMD.

[Tur0k 143]

There's a fix now in mainline that does disable KPTI for AMD.

I am glad they addressed that on AMD platforms. Now to see what M$ does. Also I still wonder why this is being addressed without software patch instead of a hardware fix like a firmware update to close the hole. I wish I would have bought AMD stock on Monday...

 

 

Sent from my iPhone using Tapatalk

Edited January 5, 2018 by Tur0k

[PenkethBoy 2063]

The "fix" for Meltdown has been available for a couple of days for Windows 10/2016 - i have applied it (after you get past the AV block by MS)

 

No noticeable loss of performance as yet - but it is workload specific - so time will tell

 

as i understand it there is no fix for Spectre as yet on any platform

 

[edit] its available for 8.1 and 2012r2 as well

Edited January 5, 2018 by PenkethBoy

[techywarrior 688]

As others have said, the performance penalty is very workload dependent, so it is going to take time before we see what sort of effect it is going to have on the average user. There are some firmware updates starting to trickle out so it's not entirely reliant on software fixes to mitigate. There has already been a lot of contradictory information in the news with AMD claiming they are not vulnerable but then other people in the know saying even that is not entirely true and that AMD is vulnerable but the timing (read up on the vulnerability if you don't know what timing I am talking about) is much less so the ability to exploit it is almost non-existent. 

 

One good thing is that everyone working on the patches/firmware have been saying that the performance impact should be reduced over time as they optimize the fixes. That's probably good news for everyone but doesn't really quell the uproar right now.

 

The other thing is that for a typical user on a laptop/desktop it's very hard to exploit. This is really more of an issue for government/companies that are targeted by extremely sophisticated targeted attacks and also for cloud services that host multiple virtual servers on single physical hardware. The cloud systems are also the most hit by the performance decrease of the current patches. They are really the ones that should be upset since profit is directly related to how many customers they can put on a single server and this will reduce that significantly in some cases.

 

As a, closer to typical, user I'm a little annoyed but due to the sophistication of the vulnerability I don't hold as much animosity to Intel/ARM/AMD as others seem to. This isn't something that was obvious and glossed over for years.

 

Maybe try think of it this way. You had a bonus 3-15% CPU speed over the last 10 years

 

It will be interesting to see if Intel et al create a new stepping of their CPUs that adjusts for attack and if there is a performance impact or not.

[dcrdev 251]

Well I mean as I said it's most likely going to hit database and virtualisation workloads - both of which I use.

 

Spectre can be to an extent handled in microcode, meltdown however can only addressed by introducing an additional abstraction layer a la page-table isolation. I too am hopeful that this can be improved upon given time - but as someone who spent £500 on a Xeon processor because of it's suitability for these kind of workloads, I am annoyed.

 

But benchmarks are looking positive so far - so I'll wait and see.

 

Typically the CEO of Intel dumped the majority of his shares, shortly before this was disclosed.

 

The vulnerability only affects:

• Shared infrastructure i.e. cloud.
• Multi-user systems - this could/does apply to home users.

Edited January 5, 2018 by dcrdev

[Guest asrequested]

Threadripper to the rescue

 

When I finally get around to building my gateway, I'm going to use my i7, to insure the processing overhead.

[dcrdev 251]

i7 for a Gateway? You running an enterprise out of your house lol ?

Edited January 5, 2018 by dcrdev

[Guest asrequested]

i7 for a Gateway? You running an enterprise out of your house lol ?

Lol...I just want to be able to run pfsense with everything enabled. It recommends a multicore 2Ghz processor for that. So now with this meltdown issue, I figure I'll just use the i7 that's sitting in my closet

[Tur0k 143]

I can let you know how it hits my i5 once released on bsd and PFSense.

 

A buddy of mine runs pfsense virtually on an AMD 8320 vmhost and it purrs for him.

 

 

Sent from my iPhone using Tapatalk

[dcrdev 251]

Lol...I just want to be able to run pfsense with everything enabled. It recommends a multicore 2Ghz processor for that. So now with this meltdown issue, I figure I'll just use the i7 that's sitting in my closet

 

I mean I use pfsense and unless you are going to be heavily utilising a vpn over a 1gbps+ line then that's extreme overkill.

[Guest asrequested]

I can let you know how it hits my i5 once released on bsd and PFSense.

 

A buddy of mine runs pfsense virtually on an AMD 8320 vmhost and it purrs for him.

 

 

Sent from my iPhone using Tapatalk

Groovy. I have an i5 6500 that I was initially going to use.

[Guest asrequested]

I mean I use pfsense and unless you are going to be heavily utilising a vpn over a 1gbps+ line then that's extreme overkill.

Yeah, I know. But I like overkill

 

I will want to be able to use heavy encryption, though. That's what's driving this build.

[Tur0k 143]

Yeah, I know. But I like overkill

 

I will want to be able to use heavy encryption, though. That's what's driving this build.

"Go big or go home".

 

A decent CPU with AES-NI support should be all that is needed .

 

 

Sent from my iPhone using Tapatalk

[Guest asrequested]

"Go big or go home".

 

 

ZACCLY! lol

 

I just like having more than I need. And I figured with the hit that it might get because this fix, I'd hedge my bets

Edited January 5, 2018 by Doofus

[dcrdev 251]

Fair do's - I don't think this will affect pfsense much though.

 

KPTI affects i/o  - so unless your doing caching it's not going to be affected. Caching is pointless anyway these days as 95% of the web is ssl, which can't be cached unless you opt to do mitm ssl decryption and then you'd have to resign everything with your own root authority; which subsequently you'd have to manually trust on all your devices.

[Guest asrequested]

I have yet to mess with pfsense. That'll be future fun. I'll be asking you guys, questions. I just don't want to limited by processing power. I had that with my USG.

[dcrdev 251]

Lol - sh**s really hitting the fan this week:

 

https://www.phoronix.com/scan.php?page=news_item&px=AMD-PSP-2018-Vulnerability

[Guest asrequested]

Lol - sh**s really hitting the fan this week:

 

https://www.phoronix.com/scan.php?page=news_item&px=AMD-PSP-2018-Vulnerability

I think I have that, disabled. I'll have to check :/

[Swynol 375]

I have yet to mess with pfsense. That'll be future fun. I'll be asking you guys, questions. I just don't want to limited by processing power. I had that with my USG.

 

dont really need anything too beefy. i was running it on a i3 6100t. with a 80/20 line my cpu hits around 10% on full load and idles around 2%. that's with IPS, antivirus scanning, mitm on https traffic and a few other things.

[Guest asrequested]

dont really need anything too beefy. i was running it on a i3 6100t. with a 80/20 line my cpu hits around 10% on full load and idles around 2%. that's with IPS, antivirus scanning, mitm on https traffic and a few other things.

I'll probably try my i5, first. It'll have to handle a lot of encryption, too.

[Jdiesel 1114]

I don't play it personally but I heard that Fortnight's online servers are struggling now that the Meltdown patch was applied.

 

https://www.epicgames.com/fortnite/forums/news/announcements/132642-epic-services-stability-update

[dcrdev 251]

I'll probably try my i5, first. It'll have to handle a lot of encryption, too.

 

As long as it has aes-ni (which it will do) it will exceed your needs!

 

I'm using an i3-6100 (because it has ecc support on the cheap) and it's serving 8 computers and countless IoT devices - I'm making heavy use of SSL, SSH tunneling and encrypted bittorrent (syncthing file sync - not what you're thinking) and the i3 can more than cope.

Edited January 8, 2018 by dcrdev