Major Intel CPU vulnerability
-
With Intel hiding the flaw, no one knows what to patch and what not to. Intel appears to be a very bad actor here. The claims are that this is an Intel bug, which means that there is no association with other processors. Intel claimed others were affected but refused to substantiate the claims. I feel like we are being bullied as an industry by a single, overly large player.
-
@scottalanmiller said in Major Intel CPU vulnerability:
A base Windows license core count is sixteen. So dual proc EPYC 7251 or single proc 7281, 7301, 7351, or 7351P procs incur no Windows licensing penalties.
This is not correct unless Microsoft has updated their terms in the last 12 months and I have not heard about it.
The core based licensing that came out at the time of Server 2016 is a 16 core minimum, but that is also a 2 socket minimum. Not 16 cores on a single processor.
-
It looks like Google Chrome offers a temp workaround for website browsing.
https://support.google.com/faqs/answer/7622138#chrome
Product Status
Google’s Mitigations Against CPU Speculative Execution Attack Methods
Overview
This document lists affected Google products and their current status of mitigation against CPU speculative execution attack methods. Mitigation Status refers to our mitigation for currently known vectors for exploiting the flaw described in CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754.The issue has been mitigated in many Google products (or wasn’t an issue in the first place). In some instances users and customers may need to take additional steps to ensure they’re using a protected version of a product, as detailed below.
This list and a product’s status may change as new developments warrant.
Google Products and Services
Product Mitigation Status
Google Infrastructure
The infrastructure that runs Google products (e.g., Search, YouTube, Google Ads products, Maps, Blogger, and other services), and the customer data held by Google, are protected.No additional user or customer action needed.
Android
On the Android platform, exploitation has been shown to be difficult and limited on the majority of Android devices.The Android 2018-01-05 Security Patch Level (SPL) includes mitigations reducing access to high precision timers that limit attacks on all known variants on ARM processors. These changes were released to Android partners in December 2017.
Future Android security updates will include additional mitigations. These changes are part of upstream Linux.
Google-supported Android devices include Nexus 5X, Nexus 6P, Pixel C, Pixel/XL, and Pixel 2/XL. Users should accept the monthly updates for January 2018 on Nexus or their partner devices to receive these updates. Pixel devices or partner devices using A/B (seamless) system updates will automatically install these updates; users must restart their devices to complete the installation.
Timing mitigation for ARM processors included in the 2018-01-05 SPL as CVE-2017-13218.
Other Intel and ARM Processor specific fixes provided to partners.
Google Apps / G Suite
The infrastructure that runs G Suite (e.g., Gmail, Calendar, Drive, Docs, and other G Suite services) is protected.No additional user or customer action needed.
Google Chrome Browser
Current stable versions of Chrome include an optional feature called Site Isolation which can be enabled to provide mitigation by isolating websites into separate address spaces. Learn more about Site Isolation and how to take action to enable it.Chrome 64, due to be released on January 23, will contain mitigations to protect against exploitation.
Additional mitigations are planned for future versions of Chrome. Learn more about Chrome's response.
Desktop (all platforms), Chrome 63:
Full Site Isolation can be turned on by enabling a flag found at chrome://flags/#enable-site-per-process.
Enterprise policies are available to turn on Site Isolation for all sites, or just those in a specified list. Learn more about Site Isolation by policy.
Android:Site Isolation is available in chrome://flags but may have additional functionality and performance issues.
iOS:Chrome on iOS uses Apple’s WKWebView, so JS compilation mitigations are inherited from Apple.
-
@jaredbusch said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
A base Windows license core count is sixteen. So dual proc EPYC 7251 or single proc 7281, 7301, 7351, or 7351P procs incur no Windows licensing penalties.
This is not correct unless Microsoft has updated their terms in the last 12 months and I have not heard about it.
The core based licensing that came out at the time of Server 2016 is a 16 core minimum, but that is also a 2 socket minimum. Not 16 cores on a single processor.
Looks like the datasheet no longer mentions 2 processors.
http://download.microsoft.com/download/7/2/9/7290EA05-DC56-4BED-9400-138C5701F174/WS2016LicensingDatasheet.pdf
So, that means, yes, the 16 core proc is a good deal.
-
@scottalanmiller said in Major Intel CPU vulnerability:
@dbeato said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@dbeato said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@storageninja said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
This year has really shown that Intel has no idea what they are doing. Time to get to AMD and ARM procs and stay there.
ARM's impacted.
How is ARM impacted?
@scottalanmiller said in Major Intel CPU vulnerability:
@storageninja said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
This year has really shown that Intel has no idea what they are doing. Time to get to AMD and ARM procs and stay there.
ARM's impacted.
How is ARM impacted?
They are saying all Intel, AMD and ARM devices.
https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
https://www.wired.com/story/critical-intel-flaw-breaks-basic-security-for-most-computers/Any reputable sources? I did a search and came up only with disputed claims by Intel.
Phoronix states the following:
https://www.phoronix.com/scan.php?page=news_item&px=x86-PTI-EPYC-Linux-4.15-TestJust implies that Intel paid someone to include that on other processors. Not a good sign that it is included without information.
Did you not read Linus's response? It was hilarious.
https://lkml.org/lkml/2018/1/3/797 -
@storageninja said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@dbeato said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@dbeato said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@storageninja said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
This year has really shown that Intel has no idea what they are doing. Time to get to AMD and ARM procs and stay there.
ARM's impacted.
How is ARM impacted?
@scottalanmiller said in Major Intel CPU vulnerability:
@storageninja said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
This year has really shown that Intel has no idea what they are doing. Time to get to AMD and ARM procs and stay there.
ARM's impacted.
How is ARM impacted?
They are saying all Intel, AMD and ARM devices.
https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
https://www.wired.com/story/critical-intel-flaw-breaks-basic-security-for-most-computers/Any reputable sources? I did a search and came up only with disputed claims by Intel.
Phoronix states the following:
https://www.phoronix.com/scan.php?page=news_item&px=x86-PTI-EPYC-Linux-4.15-TestJust implies that Intel paid someone to include that on other processors. Not a good sign that it is included without information.
Did you not read Linus's response? It was hilarious.
https://lkml.org/lkml/2018/1/3/797OMG that's awesome and EXACTLY what I was thinking!!
-
On Wed, Jan 3, 2018 at 3:09 PM, Andi Kleen [email protected] wrote:
This is a fix for Variant 2 in
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.htmlAny speculative indirect calls in the kernel can be tricked
to execute any kernel code, which may allow side channel
attacks that can leak arbitrary kernel data.Why is this all done without any configuration options?
A competent CPU engineer would fix this by making sure speculation
doesn't happen across protection domains. Maybe even a L1 I$ that is
keyed by CPL.I think somebody inside of Intel needs to really take a long hard look
at their CPU's, and actually admit that they have issues instead of
writing PR blurbs that say that everything works as designed... and that really means that all these mitigation patches should be
written with "not all CPU's are crap" in mind.Or is Intel basically saying "we are committed to selling you shit
forever and ever, and never fixing anything"?Because if that's the case, maybe we should start looking towards the
ARM64 people more.Please talk to management. Because I really see exactly two possibibilities:
- Intel never intends to fix anything
OR
- these workarounds should have a way to disable them.
Which of the two is it?
Linus -
@jaredbusch said in Major Intel CPU vulnerability:
@jaredbusch said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
A base Windows license core count is sixteen. So dual proc EPYC 7251 or single proc 7281, 7301, 7351, or 7351P procs incur no Windows licensing penalties.
This is not correct unless Microsoft has updated their terms in the last 12 months and I have not heard about it.
The core based licensing that came out at the time of Server 2016 is a 16 core minimum, but that is also a 2 socket minimum. Not 16 cores on a single processor.
Looks like the datasheet no longer mentions 2 processors.
http://download.microsoft.com/download/7/2/9/7290EA05-DC56-4BED-9400-138C5701F174/WS2016LicensingDatasheet.pdfSo, that means, yes, the 16 core proc is a good deal.
The confusion comes from the transition licensing for Software Assurance. If you had more than 8 Cores per process AND 2 processors per host you needed additional core licensing grants. The operative word is AND.
This chart shows a Single socket 10 core processor not costing more, so there isn't a penalty for going over 8 core's per proc up to 16 as long as it's single socket.
Note, this is "Informational only" datasheet so my friends who do license law (yah, the lamest thing to specialize in) tend to think of these docs as "maybe's" for if they count or not.
-
@storageninja said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@dbeato said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@dbeato said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@storageninja said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
This year has really shown that Intel has no idea what they are doing. Time to get to AMD and ARM procs and stay there.
ARM's impacted.
How is ARM impacted?
@scottalanmiller said in Major Intel CPU vulnerability:
@storageninja said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
This year has really shown that Intel has no idea what they are doing. Time to get to AMD and ARM procs and stay there.
ARM's impacted.
How is ARM impacted?
They are saying all Intel, AMD and ARM devices.
https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
https://www.wired.com/story/critical-intel-flaw-breaks-basic-security-for-most-computers/Any reputable sources? I did a search and came up only with disputed claims by Intel.
Phoronix states the following:
https://www.phoronix.com/scan.php?page=news_item&px=x86-PTI-EPYC-Linux-4.15-TestJust implies that Intel paid someone to include that on other processors. Not a good sign that it is included without information.
Did you not read Linus's response? It was hilarious.
https://lkml.org/lkml/2018/1/3/797That was awesome.
-
Meanwhile, I can confirm that VMware products are NOT vulnerable to Meltdown, the newest Fusion and Workstation were also not impacted at this time (They would depend on their guest OS being patched), and currently it looks like the CVE's in the wild for Spectre are being handled by the patch that went out on Dec 19th.
https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html
Also Z-Series, Power, ARM, and AMD are impcated by Spectre. Not sure all the Intel hate is due here.... They got burned by Meltdown (which sucks if you use Xen PV which always had shit security IMHO for memory) but otherwise, this is a general-purpose multiplatform issue.
-
@storageninja said in Major Intel CPU vulnerability:
Not sure all the Intel hate is due here....
It's the unsubstantiated claims, cover up, and embargo. All unacceptable things. That they had a bug is not the issue.
-
@scottalanmiller said in Major Intel CPU vulnerability:
@storageninja said in Major Intel CPU vulnerability:
Not sure all the Intel hate is due here....
It's the unsubstantiated claims, cover up, and embargo. All unacceptable things. That they had a bug is not the issue.
The Embargo was technically the entire software industry conspiring including Linus himself. Would you rather have them released this back in June before anyone had any POC code?
-
@storageninja said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@storageninja said in Major Intel CPU vulnerability:
Not sure all the Intel hate is due here....
It's the unsubstantiated claims, cover up, and embargo. All unacceptable things. That they had a bug is not the issue.
The Embargo was technically the entire software industry conspiring including Linus himself. Would you rather have them released this back in June before anyone had any POC code?
Yes, I never support secrecy. Transparency is always more important.
-
@scottalanmiller said in Major Intel CPU vulnerability:
@storageninja said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@storageninja said in Major Intel CPU vulnerability:
Not sure all the Intel hate is due here....
It's the unsubstantiated claims, cover up, and embargo. All unacceptable things. That they had a bug is not the issue.
The Embargo was technically the entire software industry conspiring including Linus himself. Would you rather have them released this back in June before anyone had any POC code?
Yes, I never support secrecy. Transparency is always more important.
Google breached their maximum disclosure holding for project Zero. Funny how you do that when it's your servers on the line...
-
I've read 5% - 30% performance hit, depending on what process is being done. Do we know how much this will actually affect a host/Hyper-V, rather than a server for fileservices etc?
Meaning... if fileserver... yep, 30%... but if Hyper-V host... it'll be closer to 5%. Or don't we have such info yet?
-
@jimmy9008 I don't think information is going to be reliably available until the patches are more generally available and more wide benchmarking is run.
-
@aidan_walsh said in Major Intel CPU vulnerability:
@jimmy9008 I don't think information is going to be reliably available until the patches are more generally available and more wide benchmarking is run.
That's what I thought, sadly. I guess worst case I put all non critical on two hosts, and leave the other two for critical/"high performance" systems.
-
Do we know when M$ will have a patch ready by?
-
@jimmy9008 Yesterday. The patches are being held until your AV drops a particular registry key though, as some were found to bluescreen.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
https://support.microsoft.com/en-ie/help/4073119/windows-client-guidance-for-it-pros-to-protect-against-speculative-exe
https://support.microsoft.com/en-ie/help/4072699/important-information-regarding-the-windows-security-updates-released -
@aidan_walsh said in Major Intel CPU vulnerability:
@jimmy9008 Yesterday. The patches are being held until your AV drops a particular registry key though, as some were found to bluescreen.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
https://support.microsoft.com/en-ie/help/4073119/windows-client-guidance-for-it-pros-to-protect-against-speculative-exe
https://support.microsoft.com/en-ie/help/4072699/important-information-regarding-the-windows-security-updates-releasedDoes the update have a KB number and is it rolled out to supported devices via Windows Update?
