dcrdev 251 Posted January 5, 2018 Share Posted January 5, 2018 (edited) What are peoples opinions of the Spectre / Meltdown vulnerabilities recently discovered in recent Intel architectures? I'm more than a bit hacked off as the fix within the Linux kernel is said to decrease performance under heavy i/o by up to 30%. I don't know about Windows, but I think I read somewhere that the patches landed yesterday - is anyone feeling the effects yet? The Linux fix is called KPTI (or Kernel page-table isolation) and is said to predominantly affect database performance and virtualisation - both things I use day-to-day. KPTI was merged into the mainline kernel yesterday and is expected to roll out to Fedora (my desktop os) within the next few hours and RHEL (my server os) within the coming days. Although the performance hit is said to be offset somewhat if you have a modern CPU with support for PCID (Process-Context Identifiers) and that's what early benchmarks seems to suggest: https://www.phoronix.com/scan.php?page=article&item=linux-kpti-pcid&num=2 What are people's thoughts? Edited January 5, 2018 by dcrdev Link to comment Share on other sites More sharing options...
Luke 37232 Posted January 5, 2018 Share Posted January 5, 2018 It's bad but there's no choice. Hopefully as new chips come out without the vulnerability, the OS's will be smart enough to disable the workaround. Link to comment Share on other sites More sharing options...
Tur0k 143 Posted January 5, 2018 Share Posted January 5, 2018 (edited) Last I read, Meltdown (the more serious vulnerability of the two) holds the greatest danger. It is specific to Intel chips. AMD chips have an architectural design that protects them from the vulnerability. It seems suspicious that manufacturers are fixing this with a software solution and not with a hardware firmware fix. The patch in M$ is still forthcoming. Linux builds will blanket apply the fix to all systems regardless of CPU manufacturer. The Spectre vulnerability is evident in Intel, AMD, and ARM. It is tied to foundational X86 architecture. It is supposedly less of a vulnerability than meltdown. I have not heard what if anything AMD or ARM are doing to mitigate. I use Intel, AMD, and ARM based equipment in my environment at home and have gripes about all but they do the job they need to. Currently, my priority is my primary firewall is running on a 5th gen i5. I am looking forward to applying the fix as soon as it becomes available on BSD. Currently, my load on that server is between 2 and 8 percent. I don't know that I would mind the 30% increase. My Emby server is running an AMD 1090T (circa 2010). I moderately overclocked it years ago and it is still just chugging away. I am planning on waiting to see how the M$ patch works out. I don't know that the server would run well if it lost 30% of the CPU's resources to overhead. If that is the case I will likely look into a Linux build that doesn't include the Linux meltdown patch (as I am running an AMD, and the patch will blanket apply across all builds regardless of CPU manufacturer). I have been planning on upgrading my system once RAM prices drop back down and the new line of Ryzen CPUs drops in Q2 2018. Sent from my iPhone using Tapatalk Edited January 5, 2018 by Tur0k Link to comment Share on other sites More sharing options...
dcrdev 251 Posted January 5, 2018 Author Share Posted January 5, 2018 Last I read, Meltdown (the more serious vulnerability of the two) holds the greatest danger. It is specific to Intel chips. AMD chips have an architectural design that protects them from the vulnerability. The patch in M$ is still forthcoming. Linux builds will blanket apply the fix to all systems regardless of CPU manufacturer. The Spectre vulnerability is evident in Intel, AMD, and ARM. It is tied to foundational X86 architecture. It is supposedly less of a vulnerability than meltdown. I have not heard what if anything AMD or ARM are doing to mitigate. Sent from my iPhone using Tapatalk There's a fix now in mainline that does disable KPTI for AMD. 1 Link to comment Share on other sites More sharing options...
Tur0k 143 Posted January 5, 2018 Share Posted January 5, 2018 (edited) There's a fix now in mainline that does disable KPTI for AMD.I am glad they addressed that on AMD platforms. Now to see what M$ does. Also I still wonder why this is being addressed without software patch instead of a hardware fix like a firmware update to close the hole. I wish I would have bought AMD stock on Monday... Sent from my iPhone using Tapatalk Edited January 5, 2018 by Tur0k Link to comment Share on other sites More sharing options...
PenkethBoy 2063 Posted January 5, 2018 Share Posted January 5, 2018 (edited) The "fix" for Meltdown has been available for a couple of days for Windows 10/2016 - i have applied it (after you get past the AV block by MS) No noticeable loss of performance as yet - but it is workload specific - so time will tell as i understand it there is no fix for Spectre as yet on any platform [edit] its available for 8.1 and 2012r2 as well Edited January 5, 2018 by PenkethBoy Link to comment Share on other sites More sharing options...
techywarrior 688 Posted January 5, 2018 Share Posted January 5, 2018 As others have said, the performance penalty is very workload dependent, so it is going to take time before we see what sort of effect it is going to have on the average user. There are some firmware updates starting to trickle out so it's not entirely reliant on software fixes to mitigate. There has already been a lot of contradictory information in the news with AMD claiming they are not vulnerable but then other people in the know saying even that is not entirely true and that AMD is vulnerable but the timing (read up on the vulnerability if you don't know what timing I am talking about) is much less so the ability to exploit it is almost non-existent. One good thing is that everyone working on the patches/firmware have been saying that the performance impact should be reduced over time as they optimize the fixes. That's probably good news for everyone but doesn't really quell the uproar right now. The other thing is that for a typical user on a laptop/desktop it's very hard to exploit. This is really more of an issue for government/companies that are targeted by extremely sophisticated targeted attacks and also for cloud services that host multiple virtual servers on single physical hardware. The cloud systems are also the most hit by the performance decrease of the current patches. They are really the ones that should be upset since profit is directly related to how many customers they can put on a single server and this will reduce that significantly in some cases. As a, closer to typical, user I'm a little annoyed but due to the sophistication of the vulnerability I don't hold as much animosity to Intel/ARM/AMD as others seem to. This isn't something that was obvious and glossed over for years. Maybe try think of it this way. You had a bonus 3-15% CPU speed over the last 10 years It will be interesting to see if Intel et al create a new stepping of their CPUs that adjusts for attack and if there is a performance impact or not. Link to comment Share on other sites More sharing options...
dcrdev 251 Posted January 5, 2018 Author Share Posted January 5, 2018 (edited) Well I mean as I said it's most likely going to hit database and virtualisation workloads - both of which I use. Spectre can be to an extent handled in microcode, meltdown however can only addressed by introducing an additional abstraction layer a la page-table isolation. I too am hopeful that this can be improved upon given time - but as someone who spent £500 on a Xeon processor because of it's suitability for these kind of workloads, I am annoyed. But benchmarks are looking positive so far - so I'll wait and see. Typically the CEO of Intel dumped the majority of his shares, shortly before this was disclosed. The vulnerability only affects: Shared infrastructure i.e. cloud. Multi-user systems - this could/does apply to home users. Edited January 5, 2018 by dcrdev Link to comment Share on other sites More sharing options...
Guest asrequested Posted January 5, 2018 Share Posted January 5, 2018 Threadripper to the rescue When I finally get around to building my gateway, I'm going to use my i7, to insure the processing overhead. 1 Link to comment Share on other sites More sharing options...
dcrdev 251 Posted January 5, 2018 Author Share Posted January 5, 2018 (edited) i7 for a Gateway? You running an enterprise out of your house lol ? Edited January 5, 2018 by dcrdev Link to comment Share on other sites More sharing options...
Guest asrequested Posted January 5, 2018 Share Posted January 5, 2018 i7 for a Gateway? You running an enterprise out of your house lol ? Lol...I just want to be able to run pfsense with everything enabled. It recommends a multicore 2Ghz processor for that. So now with this meltdown issue, I figure I'll just use the i7 that's sitting in my closet Link to comment Share on other sites More sharing options...
Tur0k 143 Posted January 5, 2018 Share Posted January 5, 2018 I can let you know how it hits my i5 once released on bsd and PFSense. A buddy of mine runs pfsense virtually on an AMD 8320 vmhost and it purrs for him. Sent from my iPhone using Tapatalk Link to comment Share on other sites More sharing options...
dcrdev 251 Posted January 5, 2018 Author Share Posted January 5, 2018 Lol...I just want to be able to run pfsense with everything enabled. It recommends a multicore 2Ghz processor for that. So now with this meltdown issue, I figure I'll just use the i7 that's sitting in my closet I mean I use pfsense and unless you are going to be heavily utilising a vpn over a 1gbps+ line then that's extreme overkill. Link to comment Share on other sites More sharing options...
Guest asrequested Posted January 5, 2018 Share Posted January 5, 2018 I can let you know how it hits my i5 once released on bsd and PFSense. A buddy of mine runs pfsense virtually on an AMD 8320 vmhost and it purrs for him. Sent from my iPhone using Tapatalk Groovy. I have an i5 6500 that I was initially going to use. Link to comment Share on other sites More sharing options...
Guest asrequested Posted January 5, 2018 Share Posted January 5, 2018 I mean I use pfsense and unless you are going to be heavily utilising a vpn over a 1gbps+ line then that's extreme overkill. Yeah, I know. But I like overkill I will want to be able to use heavy encryption, though. That's what's driving this build. 1 Link to comment Share on other sites More sharing options...
Tur0k 143 Posted January 5, 2018 Share Posted January 5, 2018 Yeah, I know. But I like overkill I will want to be able to use heavy encryption, though. That's what's driving this build. "Go big or go home". A decent CPU with AES-NI support should be all that is needed . Sent from my iPhone using Tapatalk Link to comment Share on other sites More sharing options...
Guest asrequested Posted January 5, 2018 Share Posted January 5, 2018 (edited) "Go big or go home". ZACCLY! lol I just like having more than I need. And I figured with the hit that it might get because this fix, I'd hedge my bets Edited January 5, 2018 by Doofus Link to comment Share on other sites More sharing options...
dcrdev 251 Posted January 5, 2018 Author Share Posted January 5, 2018 Fair do's - I don't think this will affect pfsense much though. KPTI affects i/o - so unless your doing caching it's not going to be affected. Caching is pointless anyway these days as 95% of the web is ssl, which can't be cached unless you opt to do mitm ssl decryption and then you'd have to resign everything with your own root authority; which subsequently you'd have to manually trust on all your devices. Link to comment Share on other sites More sharing options...
Guest asrequested Posted January 5, 2018 Share Posted January 5, 2018 I have yet to mess with pfsense. That'll be future fun. I'll be asking you guys, questions. I just don't want to limited by processing power. I had that with my USG. Link to comment Share on other sites More sharing options...
dcrdev 251 Posted January 5, 2018 Author Share Posted January 5, 2018 Lol - sh**s really hitting the fan this week: https://www.phoronix.com/scan.php?page=news_item&px=AMD-PSP-2018-Vulnerability 1 Link to comment Share on other sites More sharing options...
Guest asrequested Posted January 5, 2018 Share Posted January 5, 2018 Lol - sh**s really hitting the fan this week: https://www.phoronix.com/scan.php?page=news_item&px=AMD-PSP-2018-Vulnerability I think I have that, disabled. I'll have to check :/ Link to comment Share on other sites More sharing options...
Swynol 375 Posted January 8, 2018 Share Posted January 8, 2018 I have yet to mess with pfsense. That'll be future fun. I'll be asking you guys, questions. I just don't want to limited by processing power. I had that with my USG. dont really need anything too beefy. i was running it on a i3 6100t. with a 80/20 line my cpu hits around 10% on full load and idles around 2%. that's with IPS, antivirus scanning, mitm on https traffic and a few other things. Link to comment Share on other sites More sharing options...
Guest asrequested Posted January 8, 2018 Share Posted January 8, 2018 dont really need anything too beefy. i was running it on a i3 6100t. with a 80/20 line my cpu hits around 10% on full load and idles around 2%. that's with IPS, antivirus scanning, mitm on https traffic and a few other things. I'll probably try my i5, first. It'll have to handle a lot of encryption, too. Link to comment Share on other sites More sharing options...
Jdiesel 1114 Posted January 8, 2018 Share Posted January 8, 2018 I don't play it personally but I heard that Fortnight's online servers are struggling now that the Meltdown patch was applied. https://www.epicgames.com/fortnite/forums/news/announcements/132642-epic-services-stability-update Link to comment Share on other sites More sharing options...
dcrdev 251 Posted January 8, 2018 Author Share Posted January 8, 2018 (edited) I'll probably try my i5, first. It'll have to handle a lot of encryption, too. As long as it has aes-ni (which it will do) it will exceed your needs! I'm using an i3-6100 (because it has ecc support on the cheap) and it's serving 8 computers and countless IoT devices - I'm making heavy use of SSL, SSH tunneling and encrypted bittorrent (syncthing file sync - not what you're thinking) and the i3 can more than cope. Edited January 8, 2018 by dcrdev 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now