Major Intel CPU vulnerability
-
@scottalanmiller said in Major Intel CPU vulnerability:
@dbeato said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@dbeato said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@storageninja said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
This year has really shown that Intel has no idea what they are doing. Time to get to AMD and ARM procs and stay there.
ARM's impacted.
How is ARM impacted?
@scottalanmiller said in Major Intel CPU vulnerability:
@storageninja said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
This year has really shown that Intel has no idea what they are doing. Time to get to AMD and ARM procs and stay there.
ARM's impacted.
How is ARM impacted?
They are saying all Intel, AMD and ARM devices.
https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
https://www.wired.com/story/critical-intel-flaw-breaks-basic-security-for-most-computers/Any reputable sources? I did a search and came up only with disputed claims by Intel.
Phoronix states the following:
https://www.phoronix.com/scan.php?page=news_item&px=x86-PTI-EPYC-Linux-4.15-TestJust implies that Intel paid someone to include that on other processors. Not a good sign that it is included without information.
Did you not read Linus's response? It was hilarious.
https://lkml.org/lkml/2018/1/3/797 -
@storageninja said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@dbeato said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@dbeato said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@storageninja said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
This year has really shown that Intel has no idea what they are doing. Time to get to AMD and ARM procs and stay there.
ARM's impacted.
How is ARM impacted?
@scottalanmiller said in Major Intel CPU vulnerability:
@storageninja said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
This year has really shown that Intel has no idea what they are doing. Time to get to AMD and ARM procs and stay there.
ARM's impacted.
How is ARM impacted?
They are saying all Intel, AMD and ARM devices.
https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
https://www.wired.com/story/critical-intel-flaw-breaks-basic-security-for-most-computers/Any reputable sources? I did a search and came up only with disputed claims by Intel.
Phoronix states the following:
https://www.phoronix.com/scan.php?page=news_item&px=x86-PTI-EPYC-Linux-4.15-TestJust implies that Intel paid someone to include that on other processors. Not a good sign that it is included without information.
Did you not read Linus's response? It was hilarious.
https://lkml.org/lkml/2018/1/3/797OMG that's awesome and EXACTLY what I was thinking!!
-
On Wed, Jan 3, 2018 at 3:09 PM, Andi Kleen [email protected] wrote:
This is a fix for Variant 2 in
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.htmlAny speculative indirect calls in the kernel can be tricked
to execute any kernel code, which may allow side channel
attacks that can leak arbitrary kernel data.Why is this all done without any configuration options?
A competent CPU engineer would fix this by making sure speculation
doesn't happen across protection domains. Maybe even a L1 I$ that is
keyed by CPL.I think somebody inside of Intel needs to really take a long hard look
at their CPU's, and actually admit that they have issues instead of
writing PR blurbs that say that everything works as designed... and that really means that all these mitigation patches should be
written with "not all CPU's are crap" in mind.Or is Intel basically saying "we are committed to selling you shit
forever and ever, and never fixing anything"?Because if that's the case, maybe we should start looking towards the
ARM64 people more.Please talk to management. Because I really see exactly two possibibilities:
- Intel never intends to fix anything
OR
- these workarounds should have a way to disable them.
Which of the two is it?
Linus
-
@jaredbusch said in Major Intel CPU vulnerability:
@jaredbusch said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
A base Windows license core count is sixteen. So dual proc EPYC 7251 or single proc 7281, 7301, 7351, or 7351P procs incur no Windows licensing penalties.
This is not correct unless Microsoft has updated their terms in the last 12 months and I have not heard about it.
The core based licensing that came out at the time of Server 2016 is a 16 core minimum, but that is also a 2 socket minimum. Not 16 cores on a single processor.
Looks like the datasheet no longer mentions 2 processors.
http://download.microsoft.com/download/7/2/9/7290EA05-DC56-4BED-9400-138C5701F174/WS2016LicensingDatasheet.pdfSo, that means, yes, the 16 core proc is a good deal.
The confusion comes from the transition licensing for Software Assurance. If you had more than 8 Cores per process AND 2 processors per host you needed additional core licensing grants. The operative word is AND.
This chart shows a Single socket 10 core processor not costing more, so there isn't a penalty for going over 8 core's per proc up to 16 as long as it's single socket.
Note, this is "Informational only" datasheet so my friends who do license law (yah, the lamest thing to specialize in) tend to think of these docs as "maybe's" for if they count or not.
-
@storageninja said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@dbeato said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@dbeato said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@storageninja said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
This year has really shown that Intel has no idea what they are doing. Time to get to AMD and ARM procs and stay there.
ARM's impacted.
How is ARM impacted?
@scottalanmiller said in Major Intel CPU vulnerability:
@storageninja said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
This year has really shown that Intel has no idea what they are doing. Time to get to AMD and ARM procs and stay there.
ARM's impacted.
How is ARM impacted?
They are saying all Intel, AMD and ARM devices.
https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
https://www.wired.com/story/critical-intel-flaw-breaks-basic-security-for-most-computers/Any reputable sources? I did a search and came up only with disputed claims by Intel.
Phoronix states the following:
https://www.phoronix.com/scan.php?page=news_item&px=x86-PTI-EPYC-Linux-4.15-TestJust implies that Intel paid someone to include that on other processors. Not a good sign that it is included without information.
Did you not read Linus's response? It was hilarious.
https://lkml.org/lkml/2018/1/3/797That was awesome.
-
Meanwhile, I can confirm that VMware products are NOT vulnerable to Meltdown, the newest Fusion and Workstation were also not impacted at this time (They would depend on their guest OS being patched), and currently it looks like the CVE's in the wild for Spectre are being handled by the patch that went out on Dec 19th.
https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html
Also Z-Series, Power, ARM, and AMD are impcated by Spectre. Not sure all the Intel hate is due here.... They got burned by Meltdown (which sucks if you use Xen PV which always had shit security IMHO for memory) but otherwise, this is a general-purpose multiplatform issue.
-
@storageninja said in Major Intel CPU vulnerability:
Not sure all the Intel hate is due here....
It's the unsubstantiated claims, cover up, and embargo. All unacceptable things. That they had a bug is not the issue.
-
@scottalanmiller said in Major Intel CPU vulnerability:
@storageninja said in Major Intel CPU vulnerability:
Not sure all the Intel hate is due here....
It's the unsubstantiated claims, cover up, and embargo. All unacceptable things. That they had a bug is not the issue.
The Embargo was technically the entire software industry conspiring including Linus himself. Would you rather have them released this back in June before anyone had any POC code?
-
@storageninja said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@storageninja said in Major Intel CPU vulnerability:
Not sure all the Intel hate is due here....
It's the unsubstantiated claims, cover up, and embargo. All unacceptable things. That they had a bug is not the issue.
The Embargo was technically the entire software industry conspiring including Linus himself. Would you rather have them released this back in June before anyone had any POC code?
Yes, I never support secrecy. Transparency is always more important.
-
@scottalanmiller said in Major Intel CPU vulnerability:
@storageninja said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@storageninja said in Major Intel CPU vulnerability:
Not sure all the Intel hate is due here....
It's the unsubstantiated claims, cover up, and embargo. All unacceptable things. That they had a bug is not the issue.
The Embargo was technically the entire software industry conspiring including Linus himself. Would you rather have them released this back in June before anyone had any POC code?
Yes, I never support secrecy. Transparency is always more important.
Google breached their maximum disclosure holding for project Zero. Funny how you do that when it's your servers on the line...
-
I've read 5% - 30% performance hit, depending on what process is being done. Do we know how much this will actually affect a host/Hyper-V, rather than a server for fileservices etc?
Meaning... if fileserver... yep, 30%... but if Hyper-V host... it'll be closer to 5%. Or don't we have such info yet?
-
@jimmy9008 I don't think information is going to be reliably available until the patches are more generally available and more wide benchmarking is run.
-
@aidan_walsh said in Major Intel CPU vulnerability:
@jimmy9008 I don't think information is going to be reliably available until the patches are more generally available and more wide benchmarking is run.
That's what I thought, sadly. I guess worst case I put all non critical on two hosts, and leave the other two for critical/"high performance" systems.
-
Do we know when M$ will have a patch ready by?
-
@jimmy9008 Yesterday. The patches are being held until your AV drops a particular registry key though, as some were found to bluescreen.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
https://support.microsoft.com/en-ie/help/4073119/windows-client-guidance-for-it-pros-to-protect-against-speculative-exe
https://support.microsoft.com/en-ie/help/4072699/important-information-regarding-the-windows-security-updates-released -
@aidan_walsh said in Major Intel CPU vulnerability:
@jimmy9008 Yesterday. The patches are being held until your AV drops a particular registry key though, as some were found to bluescreen.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
https://support.microsoft.com/en-ie/help/4073119/windows-client-guidance-for-it-pros-to-protect-against-speculative-exe
https://support.microsoft.com/en-ie/help/4072699/important-information-regarding-the-windows-security-updates-releasedDoes the update have a KB number and is it rolled out to supported devices via Windows Update?
-
@jaredbusch said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
A base Windows license core count is sixteen. So dual proc EPYC 7251 or single proc 7281, 7301, 7351, or 7351P procs incur no Windows licensing penalties.
This is not correct unless Microsoft has updated their terms in the last 12 months and I have not heard about it.
The core based licensing that came out at the time of Server 2016 is a 16 core minimum, but that is also a 2 socket minimum. Not 16 cores on a single processor.
I kind of what to agree about the two socket part, but for some reason I'm now thinking it was 2 socket maximum 16 core minimum. . .
-
So this bit is from this PDF about server 2016 licensing (guide from MS)
-
All physical cores on the server must be licensed, subject to a minimum of 8 core licenses per physical
processor and a minimum of 16 core licenses per server -
Core licenses are sold in packs of two.
- 8 two-core packs will be the minimum required to license each physical server. The two-core pack for
each edition is 1/8th the price of a license for a 2-processor server for corresponding Windows Server
2012 R2 editions
- 8 two-core packs will be the minimum required to license each physical server. The two-core pack for
I would take this to mean you can still have a single processor server, but no matter what you're buying for a dual processor server with a minimum of 16 cores (split across 1 or 2 processors).
-
-
So the part that really matters in the guide is this.
- 8 two-core packs will be the minimum required to license each physical server.
Microsoft doesn't seem to care about how the physical layout of your CPU setup is, so long as you're meeting the requirements.
-
@jimmy9008 said in Major Intel CPU vulnerability:
Does the update have a KB number and is it rolled out to supported devices via Windows Update?
I haven't seen them listed on any of the advisory pages, but this comes from the PatchManagement.org mailing list.
https://support.microsoft.com/en-us/help/4056893 (1507)
https://support.microsoft.com/en-us/help/4056888 (1511)
https://support.microsoft.com/en-us/help/4056890 (1607, Windows Server 2016)
https://support.microsoft.com/en-us/help/4056891 (1703)
https://support.microsoft.com/en-us/help/4056892 (1709)Edit: From BleepingComputer
https://support.microsoft.com/en-us/help/4056897 (Windows 7 SP 1, Windows Server 2008 R2 SP1)
https://support.microsoft.com/en-us/help/4056898 (Windows 8.1, Windows Server 2012 R2)They'll be out on Windows Update, and are already downloadable from the Windows Update Catalog. Again, they will only show in Windows Update if the registry condition is correct.