Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Intel CPUs Massive Security Flaw issue

    Scheduled Pinned Locked Moved General pfSense Questions
    95 Posts 26 Posters 23.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      robi
      last edited by

      Hmm. I really hope if there will be such a patch, performance loss will only affect Intel CPUs; KPTI (Kernel Page Table Isolation) routine would only be activated if the processor is detected as being an Intel…

      1 Reply Last reply Reply Quote 0
      • ivorI
        ivor
        last edited by

        This is a brand new issue so we don't have much of information yet.

        Need help fast? Our support is available 24/7 https://www.netgate.com/support/

        1 Reply Last reply Reply Quote 0
        • H
          Hugovsky
          last edited by

          Intel is just becoming more and more disappointing. I think it's time to start looking to AMD or others…

          1 Reply Last reply Reply Quote 0
          • C
            Chrismallia
            last edited by

            AMD's performance is so far behind that even 30% slower the Intel is still faster  and I suspect they have their own issues.

            1 Reply Last reply Reply Quote 0
            • R
              robi
              last edited by

              @Chrismallia:

              AMD's performance is so far behind that even 30% slower the Intel is still faster  and I suspect they have their own issues.

              I'm afraid that depends on what type of tasks the CPU has to perform. For example I've got several HP T5730 thin clients equipped with AMD Sempron 2100+ CPUs at 1GHz, they do WAN/LAN NAT-ing at full interface speed between VLANs (1Gbit/s/2) at only 60% CPU usage. Intel Atoms from that era are nowhere compared to Semprons.

              1 Reply Last reply Reply Quote 0
              • C
                Chrismallia
                last edited by

                "I'm afraid that depends on what type of tasks the CPU has to perform. For example I've got several HP T5730 thin clients equipped with AMD Sempron 2100+ CPUs at 1GHz, they do WAN/LAN NAT-ing at full interface speed between VLANs (1Gbit/s/2) at only 60% CPU usage. Intel Atoms from that era are nowhere compared to Semprons."

                Thats good to know, thanks for the info

                1 Reply Last reply Reply Quote 0
                • H
                  Hugovsky
                  last edited by

                  If I have to trade speed for security, I choose security every time. With Intel, it used to be a win-win but, with recent news… I just don't believe it so blindly anymore. Of course AMD is not the cure to all your problems but it sure starts to seem a little better.

                  1 Reply Last reply Reply Quote 0
                  • KOMK
                    KOM
                    last edited by

                    AMD's performance is so far behind that even 30% slower the Intel is still faster  and I suspect they have their own issues.

                    From what I have read, AMD's latest Threadripper CPUs are giving Intel a run for their money, and they're cheaper.  As for issues, unless you have something concrete then you can't really make that claim.  I've seen others saying the same thing on other tech forums, that this Intel bug is bad but AMD might maybe perhaps possibly have something as bad or worse.  It's pure FUD.

                    1 Reply Last reply Reply Quote 0
                    • H
                      Hugovsky
                      last edited by

                      There you go:

                      http://www.zdnet.com/article/security-flaws-affect-every-intel-chip-since-1995-arm-processors-vulnerable/

                      1 Reply Last reply Reply Quote 0
                      • H
                        Hugovsky
                        last edited by

                        More info here:

                        https://spectreattack.com/

                        1 Reply Last reply Reply Quote 0
                        • ivorI
                          ivor
                          last edited by

                          Our preliminary assessment of Meltdown and Spectre vulnerabilities suggests that most pfSense use cases without untrusted local users or a multi-tenant context should not be concerned.

                          Once the FreeBSD project issues a patched release, we will incorporate those patches, test, and release new versions of pfSense.

                          Need help fast? Our support is available 24/7 https://www.netgate.com/support/

                          1 Reply Last reply Reply Quote 0
                          • M
                            mikeisfly
                            last edited by

                            From my understanding of the problem all x86 processors are effected but the AMD processors have the ability to turn off the branch prediction feature. It would seem to me that if some bioses can be updated to turn this feature off on Intel Processors than the problem can be minimized without the 5% performance hit. We all want speed and putting the Kernel page file and user page file in the same space was a way for them to achieve this. I don't really think it's fair to blame Intel. Security is really hard and I would say the problem is really at the OS level. OS makers are working on the fix now so I would say everyone is doing their job. I would imagine in the future Intel processors will have the ability to turn the branch prediction off which will fix this issue.

                            1 Reply Last reply Reply Quote 0
                            • V
                              VAMike
                              last edited by

                              @mikeisfly:

                              From my understanding of the problem all x86 processors are effected but the AMD processors have the ability to turn off the branch prediction feature. It would seem to me that if some bioses can be updated to turn this feature off on Intel Processors than the problem can be minimized without the 5% performance hit. We all want speed and putting the Kernel page file and user page file in the same space was a way for them to achieve this. I don't really think it's fair to blame Intel. Security is really hard and I would say the problem is really at the OS level. OS makers are working on the fix now so I would say everyone is doing their job. I would imagine in the future Intel processors will have the ability to turn the branch prediction off which will fix this issue.

                              Turning off branch prediction would be a much more significant performance hit. The impact of KPTI is felt on code with a lot of system calls, and has close to zero impact on code that stays in user land. Killing branch prediction would impact everything.

                              It's also worth pointing out that this isn't a kernel-specific issue, and that side channel attacks can impact any program that tries to isolate untrusted code. (For example, a browser running javascript.) The kernel mitigations don't fix all of those other programs–and AMD CPUs are impacted by this just as much as Intel CPUs.

                              1 Reply Last reply Reply Quote 0
                              • R
                                robi
                                last edited by

                                @ivor:

                                Our preliminary assessment of Meltdown and Spectre vulnerabilities suggests that most pfSense use cases without untrusted local users or a multi-tenant context should not be concerned.

                                Can you please elaborate a little bit this, so we can understand what you mean? Especially the "most pfSense use cases without untrusted local users or a multi-tenant context ".
                                The whole pfSense runs as root, including the web interface afaik…

                                1 Reply Last reply Reply Quote 0
                                • R
                                  robi
                                  last edited by

                                  @VAMike:

                                  AMD CPUs are impacted by this just as much as Intel CPUs.

                                  Not true:

                                  AMD processors are not subject to the types of attacks that the kernel
                                  page table isolation feature protects against.  The AMD microarchitecture
                                  does not allow memory references, including speculative references, that
                                  access higher privileged data when running in a lesser privileged mode
                                  when that access would result in a page fault.

                                  The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants. Due to differences in AMD's architecture, we believe there is a near zero risk to AMD processors at this time. We expect the security research to be published later today and will provide further updates at that time.

                                  Howerver, ARM prcessors are affected:

                                  ARM, whose chip designs are widely used in cell phones and other devices, confirmed some of its chip architectures are affected, including some of its Cortex-A processors. "This method requires malware running locally and could result in data being accessed from privileged memory," ARM said in a statement to Axios. "Our Cortex-M processors, which are pervasive in low-power, connected IoT devices, are not impacted."

                                  1 Reply Last reply Reply Quote 0
                                  • C
                                    Chrismallia
                                    last edited by

                                    @KOM:

                                    AMD's performance is so far behind that even 30% slower the Intel is still faster  and I suspect they have their own issues.

                                    From what I have read, AMD's latest Threadripper CPUs are giving Intel a run for their money, and they're cheaper.  As for issues, unless you have something concrete then you can't really make that claim.  I've seen others saying the same thing on other tech forums, that this Intel bug is bad but AMD might maybe perhaps possibly have something as bad or worse.  It's pure FUD.

                                    Sorry to disagree

                                    Threadripper  does nearly half the work clock per cycle  of an Intel  plus they run much hotter and are less power efficient

                                    1 Reply Last reply Reply Quote 0
                                    • R
                                      robi
                                      last edited by

                                      This was true 15 years ago, can't believe they are still the same.

                                      1 Reply Last reply Reply Quote 0
                                      • C
                                        Chrismallia
                                        last edited by

                                        Here is 1 example  the AMD has 8 cores 16 threads  Intel 4 core 8 threads

                                        https://www.tomsguide.com/us/amd-ryzen-benchmarks,review-4232.html

                                        I did not reed the post in detail but at a quick look the Intel did better with less cores , I am not trying to make Intel look better just trying to justify if switching to AMD will be worth it  as you still have to buy expensive CPUs like ryzen to get good performance

                                        1 Reply Last reply Reply Quote 0
                                        • C
                                          Chrismallia
                                          last edited by

                                          AMD are hit too

                                          http://bgr.com/2018/01/03/intel-security-flaw-also-arm-amd-macos-already-patched/

                                          The only thing different looks like Intel are doing something about it and AMD has not responded yet

                                          1 Reply Last reply Reply Quote 0
                                          • V
                                            VAMike
                                            last edited by

                                            @robi:

                                            @VAMike:

                                            AMD CPUs are impacted by this just as much as Intel CPUs.

                                            Not true

                                            No, completely true. First, you trimmed off one heck of a lot of context that's really important:

                                            It's also worth pointing out that this isn't a kernel-specific issue, and that side channel attacks can impact any program that tries to isolate untrusted code. (For example, a browser running javascript.) The kernel mitigations don't fix all of those other programs–and AMD CPUs are impacted by this just as much as Intel CPUs.

                                            What a lot of fanboys seem to be missing in their urgency to have an intel bonfire is that this is about a class of vulnerabilities, not a specific vulnerability. AMD processors seem at this point to not be vulnerable to one particular mode of attack, but are vulnerable to other modes of attack. And I guarantee that this area of research will get a lot more attention, and there will be other exploit vectors discovered. Side channel attacks have simply not been something that commodity CPU vendors have worried about, so to some degree finding them is like shooting fish in a barrel. (This is true of all the vendors, not just intel.) "Meltdown" is getting most of the press (that which isn't completely confused about the various attack vectors) and is the biggest PITA for shared infrastructure providers, but "Spectre" is actually much harder to fix, and just as relevant to actual users who do things like browse the web. The most straightforward fixes involve giving up any hope of sandboxing potentially malicious code within a process and relying on process isolation instead–which will have a performance impact on everyone's web browsing.

                                            And as long as we're talking about AMD, they really botched up the disclosure timeline by publicly asserting that they weren't vulnerable to certain kinds of cache timing attacks in the context of the linux kpti patches...people are going to think twice before trusting AMD to keep their mouths shut in the future.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.