Wednesday, January 3rd 2018
Intel Secretly Firefighting a Major CPU Bug Affecting Datacenters?
There are ominous signs that Intel may be secretly fixing a major security vulnerability affecting its processors, which threatens to severely damage its brand equity among datacenter and cloud-computing customers. The vulnerability lets users of a virtual machine (VM) access data of another VM on the same physical machine (a memory leak). Amazon, Google, and Microsoft are among the big three cloud providers affected by this vulnerability, and Intel is reportedly in embargoed communications with engineers from the three, to release a software patch that fixes the bug. Trouble is, the patch inflicts an unavoidable performance penalty ranging between 30-35%, impacting the economics of using Intel processors versus AMD ones.
Signs of Intel secretly fixing the bug surfaced with rapid changes to the Linux kernel without proper public-visibility of the documentation. The bulk of the changes involve "kernel page table isolation," a feature that prevents VMs from reading each other's data, but at performance costs. Developers note that these changes are being introduced "very fast" by Linux kernel update standards, and even being backported to older kernel versions (something that's extremely rare). Since this is a hardware vulnerability, Linux isn't the only vulnerable software platform. Microsoft has been working on a Windows kernel patch for this issue since November 2017. AMD x86 processors (such as Opteron, Ryzen, EPYC, etc.,) are immune to this vulnerability. Source: Reddit
Signs of Intel secretly fixing the bug surfaced with rapid changes to the Linux kernel without proper public-visibility of the documentation. The bulk of the changes involve "kernel page table isolation," a feature that prevents VMs from reading each other's data, but at performance costs. Developers note that these changes are being introduced "very fast" by Linux kernel update standards, and even being backported to older kernel versions (something that's extremely rare). Since this is a hardware vulnerability, Linux isn't the only vulnerable software platform. Microsoft has been working on a Windows kernel patch for this issue since November 2017. AMD x86 processors (such as Opteron, Ryzen, EPYC, etc.,) are immune to this vulnerability. Source: Reddit
53 Comments on Intel Secretly Firefighting a Major CPU Bug Affecting Datacenters?
Are only the XEONS affected, or ALL processors??? Personally I don't want an Windows update to gimp my CPU performance just because it might have a memory leak if I run a VM software. Screw that. I'm not using my desktop to run VMs anyways, or if I do, is for my own personal access anyways.
VM's should be isolated at all cost.
I believe the performance degrade only affects virtualization applications.I'm wrong.Also by the looks of it all major core uarchs are affected, including desktop chips, another one in a line of massive Intel ***kups :laugh:
That's a really big fuck up for all customers. Wondering whether intel will get a class lawsuit for failing to deliver promised performance.
But seriously this could be huge if any data from even one of your clients has leaked, it could potentially be devastating for Intel, as well as every cloud provider atm.
Cloud is just another fancy term where more and more services are being offered in a datacentre such as remote backups, webhosting, VOIP and such. Before cloud you had the same services but today's standard is that it's more reliable then ever. Intel has a serious situation if this is true, and the performance impact being up to 35% lol. I remember somewhere an article that someone worked at Intel and basicly the manager said, we need to skimp out on testing CPU's and push them out alot faster then usual.
If you skimp testing, these bugs cannot be found quickly enough, and once deployed in masses, intel has a serious situation.
Massive design flaw in Intel CPUs found, reduces performance
https://www.tweaktown.com/news/60357/massive-design-flaw-intel-cpus-found-reduces-performance/index.html
The affected Intel processors will not just face a security vulnerability, but a huge performance drop of between 5-30% once the OS has been fixed. Intel processors have a bug that can't be fixed with a microcode update, meaning Microsoft has to issue a fix at a Windows level, or you'll be forced into the arms of an AMD processor, which aren't affected.
How bad is the security issue? Well, an affected processor could have the contents of its kernel memory accessed, which is where super-secure things like passwords, log-ins, and more can be found.
The Register, who first reported on the story, explains: "At worst, the hole could be abused by programs and logged-in users to read the contents of the kernel's memory. Suffice to say, this is not great. The kernel's memory space is hidden from user processes and programs because it may contain all sorts of secrets, such as passwords, login keys, files cached from disk, and so on. Imagine a piece of JavaScript running in a browser, or malicious software running on a shared public cloud server, able to sniff sensitive kernel-protected data".
With a huge 5-30% decrease in performance, AMD is going to have a massive win here - buy Ryzen CPUs and receive a CPU that will perform better than an equally priced Intel CPU, post-OS patch. This will send shock waves through the industry, and completely change benchmarking for things like me - as once I patch my OS, a 5-30% performance drop affects absolutely everything I do.
This is an x86 level problem, so AMD isn't out of the crap yet - something we'll be keeping an eye on as this story progresses.
For Intel, well... I'm sure I'll wait for a comment from them once this article goes live, as I will reach out and ask for comment and I'm sure that email will get lost. Maybe they can blame the security bug in my Core i7-8700K, heh.
Initial Benchmarks Of The Performance Impact Resulting From Linux's x86 Security Changes
https://www.phoronix.com/scan.php?page=article&item=linux-415-x86pti&num=2
https://www.phoronix.com/scan.php?page=article&item=linux-415-x86pti&num=1
AMD had a pretty big one around Ryzen launch too. It just only affected linux, so no one cared.
https://www.techpowerup.com/forums/threads/my-research-into-amds-linux-performance-marginality-issue.237195/
Unless my binning theory was right on the thread here. I think it really was a silicon revision now, though.
a) some white hat was gonna disclose this exploit pretty soon.
b) there are a sizable number of exploits in the wild, so this needs to be patched asap.
OR all of the above.
Thank God I went with Ryzen this time... yeah, crap can surface on them later too, but man, this is big!