Intel CPUs Massive Security Flaw issue

robi

"All Intel Processors Made in the Last Decade Might Have a Massive Security Flaw"
https://gizmodo.com/report-all-intel-processors-made-in-the-last-decade-mi-1821728240
https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
https://www.postgresql.org/message-id/20180102222354.qikjmf7dvnjgbkxe@alap3.anarazel.de

I'm really starting to loose my trust in Intel. First ME, than this. Oh and the C2000 series bug…
I used to use AMD CPUs in the past, I switched to Intel about 15 years ago because AMDs tended to overheat etc. while Intels looked more trustworthy, they costed more but had less compromises at that time than AMDs (the era of Athlons and Durons).
I wonder how do AMDs perform these days...? I definitely intend to start looking at AMDs in my next projects....

Anyways, the big questions are:

• do we get (and when) a kernel update to pfSense to address this issue
• how much performance decrease should we espect. Thinking here of Atoms especially, C2000 series (like the famous Supermicro A1SRi-2758F and its brothers board, used by thousands of us in pfSense)

ivor

No FreeBSD patches as yet.

robi

Hmm. I really hope if there will be such a patch, performance loss will only affect Intel CPUs; KPTI (Kernel Page Table Isolation) routine would only be activated if the processor is detected as being an Intel…

ivor

This is a brand new issue so we don't have much of information yet.

Hugovsky

Intel is just becoming more and more disappointing. I think it's time to start looking to AMD or others…

Chrismallia

AMD's performance is so far behind that even 30% slower the Intel is still faster  and I suspect they have their own issues.

robi

@Chrismallia:

AMD's performance is so far behind that even 30% slower the Intel is still faster  and I suspect they have their own issues.

I'm afraid that depends on what type of tasks the CPU has to perform. For example I've got several HP T5730 thin clients equipped with AMD Sempron 2100+ CPUs at 1GHz, they do WAN/LAN NAT-ing at full interface speed between VLANs (1Gbit/s/2) at only 60% CPU usage. Intel Atoms from that era are nowhere compared to Semprons.

Chrismallia

"I'm afraid that depends on what type of tasks the CPU has to perform. For example I've got several HP T5730 thin clients equipped with AMD Sempron 2100+ CPUs at 1GHz, they do WAN/LAN NAT-ing at full interface speed between VLANs (1Gbit/s/2) at only 60% CPU usage. Intel Atoms from that era are nowhere compared to Semprons."

Thats good to know, thanks for the info

Hugovsky

If I have to trade speed for security, I choose security every time. With Intel, it used to be a win-win but, with recent news… I just don't believe it so blindly anymore. Of course AMD is not the cure to all your problems but it sure starts to seem a little better.

KOM

AMD's performance is so far behind that even 30% slower the Intel is still faster  and I suspect they have their own issues.

From what I have read, AMD's latest Threadripper CPUs are giving Intel a run for their money, and they're cheaper.  As for issues, unless you have something concrete then you can't really make that claim.  I've seen others saying the same thing on other tech forums, that this Intel bug is bad but AMD might maybe perhaps possibly have something as bad or worse.  It's pure FUD.

Hugovsky

There you go:

http://www.zdnet.com/article/security-flaws-affect-every-intel-chip-since-1995-arm-processors-vulnerable/

Hugovsky

More info here:

https://spectreattack.com/

ivor

Our preliminary assessment of Meltdown and Spectre vulnerabilities suggests that most pfSense use cases without untrusted local users or a multi-tenant context should not be concerned.

Once the FreeBSD project issues a patched release, we will incorporate those patches, test, and release new versions of pfSense.

mikeisfly

From my understanding of the problem all x86 processors are effected but the AMD processors have the ability to turn off the branch prediction feature. It would seem to me that if some bioses can be updated to turn this feature off on Intel Processors than the problem can be minimized without the 5% performance hit. We all want speed and putting the Kernel page file and user page file in the same space was a way for them to achieve this. I don't really think it's fair to blame Intel. Security is really hard and I would say the problem is really at the OS level. OS makers are working on the fix now so I would say everyone is doing their job. I would imagine in the future Intel processors will have the ability to turn the branch prediction off which will fix this issue.

VAMike

@mikeisfly:

From my understanding of the problem all x86 processors are effected but the AMD processors have the ability to turn off the branch prediction feature. It would seem to me that if some bioses can be updated to turn this feature off on Intel Processors than the problem can be minimized without the 5% performance hit. We all want speed and putting the Kernel page file and user page file in the same space was a way for them to achieve this. I don't really think it's fair to blame Intel. Security is really hard and I would say the problem is really at the OS level. OS makers are working on the fix now so I would say everyone is doing their job. I would imagine in the future Intel processors will have the ability to turn the branch prediction off which will fix this issue.

Turning off branch prediction would be a much more significant performance hit. The impact of KPTI is felt on code with a lot of system calls, and has close to zero impact on code that stays in user land. Killing branch prediction would impact everything.

It's also worth pointing out that this isn't a kernel-specific issue, and that side channel attacks can impact any program that tries to isolate untrusted code. (For example, a browser running javascript.) The kernel mitigations don't fix all of those other programs–and AMD CPUs are impacted by this just as much as Intel CPUs.

robi

@ivor:

Our preliminary assessment of Meltdown and Spectre vulnerabilities suggests that most pfSense use cases without untrusted local users or a multi-tenant context should not be concerned.

Can you please elaborate a little bit this, so we can understand what you mean? Especially the "most pfSense use cases without untrusted local users or a multi-tenant context ".
The whole pfSense runs as root, including the web interface afaik…

robi

@VAMike:

AMD CPUs are impacted by this just as much as Intel CPUs.

Not true:

AMD processors are not subject to the types of attacks that the kernel
page table isolation feature protects against.  The AMD microarchitecture
does not allow memory references, including speculative references, that
access higher privileged data when running in a lesser privileged mode
when that access would result in a page fault.

The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants. Due to differences in AMD's architecture, we believe there is a near zero risk to AMD processors at this time. We expect the security research to be published later today and will provide further updates at that time.

Howerver, ARM prcessors are affected:

ARM, whose chip designs are widely used in cell phones and other devices, confirmed some of its chip architectures are affected, including some of its Cortex-A processors. "This method requires malware running locally and could result in data being accessed from privileged memory," ARM said in a statement to Axios. "Our Cortex-M processors, which are pervasive in low-power, connected IoT devices, are not impacted."

Chrismallia

@KOM:

AMD's performance is so far behind that even 30% slower the Intel is still faster  and I suspect they have their own issues.

From what I have read, AMD's latest Threadripper CPUs are giving Intel a run for their money, and they're cheaper.  As for issues, unless you have something concrete then you can't really make that claim.  I've seen others saying the same thing on other tech forums, that this Intel bug is bad but AMD might maybe perhaps possibly have something as bad or worse.  It's pure FUD.

Sorry to disagree

Threadripper  does nearly half the work clock per cycle  of an Intel  plus they run much hotter and are less power efficient

robi

This was true 15 years ago, can't believe they are still the same.

Chrismallia

Here is 1 example  the AMD has 8 cores 16 threads  Intel 4 core 8 threads

https://www.tomsguide.com/us/amd-ryzen-benchmarks,review-4232.html

I did not reed the post in detail but at a quick look the Intel did better with less cores , I am not trying to make Intel look better just trying to justify if switching to AMD will be worth it  as you still have to buy expensive CPUs like ryzen to get good performance