AMD May Be Vulnerable to Spectre After All

[Durandul]

Turns out that AMD may not be home free from Spectre (variant 2) after all. Full credit goes to Michael Larabel at Phoronix: https://www.phoronix.com/scan.php?page=news_item&px=AMD-Is-Vulnerable-Variant-2. It seems that while they still believe that AMD is less vulnerable to Spectre, they're working on microcode patches now rather than just opting out of changes to the Linux kernel. According to the article "AMD will be rolling out new microcode updates for Ryzen/EPYC starting this week". 

 

We'll see what this turns out to be, but if they have to lock out the bug in a similar matter, than I imagine that there will be a very similar drop in performance. Crossing my fingers it won't affect Ryzen too bad. It's really hard to say though at this point, as the updated AMD statement is pretty vague.

[Silentprototipe]

Welp. Shit 

[ItsMitch]

Thought we all knew this from the start? AMD said it was affected but it's highly doubtful they'll be attacked. 

Variant Two

Branch Target Injection

Differences in AMD architecture mean there is a near zero risk of exploitation of this variant. Vulnerability to Variant 2 has not been demonstrated on AMD processors to date.

[Guest]

6 minutes ago, Durandul said:

Turns out that AMD may not be home free from Spectre (variant 2) after all. Full credit goes to Michael Larabel at Phoronix: https://www.phoronix.com/scan.php?page=news_item&px=AMD-Is-Vulnerable-Variant-2. It seems that while they still believe that AMD is less vulnerable to Spectre, they're working on microcode patches now rather than just opting out of changes to the Linux kernel. According to the article "AMD will be rolling out new microcode updates for Ryzen/EPYC starting this week". 

 

We'll see what this turns out to be, but if they have to lock out the bug in a similar matter, than I imagine that there will be a very similar drop in performance. Crossing my fingers it won't affect Ryzen too bad. It's really hard to say though at this point, as the updated AMD statement is pretty vague.

Well shit...

My brother is getting his Ryzen 3 around tommorow, lol....

[Trixanity]

AMD is vulnerable to 1 out of the 3 published exploits. That might just be the most secure of all tested processors including Intel and ARM. We know Intel had 3 out of 3 and ARM either 1 or 2 out of 3.

 

In either case, regardless of what products you own it's either already patched or will be shortly.

[Sakkura]

4 minutes ago, Trixanity said:

AMD is vulnerable to 1 out of the 3 published exploits. That might just be the most secure of all tested processors including Intel and ARM. We know Intel had 3 out of 3 and ARM either 1 or 2 out of 3.

 

In either case, regardless of what products you own it's either already patched or will be shortly.

AFAIK it's actually vulnerable to 2 of the 3, but the vulnerability to one of them is considered extremely unlikely to be exploited.

 

Basically AMD is immune to Meltdown, marginally vulnerable to one kind of Spectre, and fully vulnerable to the other kind of Spectre.

[ItsMitch]

1 minute ago, Sakkura said:

AFAIK it's actually vulnerable to 2 of the 3, but the vulnerability to one of them is considered extremely unlikely to be exploited.

 

 correct

[Devin92]

Thought this explains it very clear. Why is there still confusion?

[Trixanity]

10 minutes ago, Sakkura said:

AFAIK it's actually vulnerable to 2 of the 3, but the vulnerability to one of them is considered extremely unlikely to be exploited.

 

Basically AMD is immune to Meltdown, marginally vulnerable to one kind of Spectre, and fully vulnerable to the other kind of Spectre.

One is patched already.

[rawrdaysgoby]

I read on a different article variant 2 was actually going to be an optional update on AMD side

[ItsMitch]

13 minutes ago, Tedny said:

People, have you read Google paper? All x86 Cpu effected, down to 80286

No, I can't read, my eyes have turned into purple turnips and thus caused my lack of eyes to read.

/sarcasm

[leadeater]

35 minutes ago, Tedny said:

People, have you read Google paper? All x86 Cpu effected, down to 80286

All, in different ways .

[NumLock21]

After hearing AMD might be vulnerable to Spectre too. Intel fanboys be like..

 

 

[ItsMitch]

28 minutes ago, NumLock21 said:

Intel fanboys be like.

then the intel fanbois hear of the cpu slowdown to fix it

[Zodiark1593]

Old news. Everything with Out of Order execution is vulnerable.

[dalekphalm]

I didn't think this was news? We knew that it was vulnerable to both Spectre 1 and 2, but one of them (Spectre 2) had a near zero risk.

 

I'm glad they're patching anyway. Because near zero, is also "non-zero", meaning there IS a risk, however remote.

 

16 hours ago, NumLock21 said:

After hearing AMD might be vulnerable to Spectre too. Intel fanboys be like..

 

-meme snip-

 

Considering Meltdown is probably the worst one of the three, and it's a hardware vulnerability that can only be fixed fully via an architectural change in future CPU's, the Intel fanboys should calm their teats and worry about their own processors

 

Either way, I'm glad AMD is patching it anyway - better safe than sorry.

[LAwLz]

19 hours ago, dalekphalm said:

I didn't think this was news? We knew that it was vulnerable to both Spectre 1 and 2, but one of them (Spectre 2) had a near zero risk.

It's news to some people. There have been A LOT of misinformation being spread. Some people still believe only Intel is affected. 

 

19 hours ago, dalekphalm said:

Considering Meltdown is probably the worst one of the three, and it's a hardware vulnerability that can only be fixed fully via an architectural change in future CPU's, the Intel fanboys should calm their teats and worry about their own processors

Source on the patch not fixing the Meltdown vulnerability? I thought it did, and it only needed hardware revisions to lessen the performance impact. 

[Zodiark1593]

There's been a notable lack of new information for quite some time. Not exactly helping the unease.

[colonel_mortis]

On 13/01/2018 at 2:38 PM, dalekphalm said:

Considering Meltdown is probably the worst one of the three, and it's a hardware vulnerability that can only be fixed fully via an architectural change in future CPU's, the Intel fanboys should calm their teats and worry about their own processors

No, Meltdown is prevented by the KPTI changes made in the Linux kernel (moving the kernel to its own separate virtual address space), and other equivalent changes made to other operating systems. It's Spectre that is a fundamental issue, though the effects of Spectre have been mitigated by software and hardware changes.

 

 

Meltdown is an Intel-specific vulnerability, which occurs because the processor doesn't perform all of the permission checks in certain (non-trivial) circumstances.

Spectre is a fundamental problem with the design of recent processors. It's my understanding that any processor which supports speculative evaluation (most remotely recent processors) are vulnerable to Spectre Variant 1, while different microarchitectures are more or less vulnerable to Variant 2 depending on how they handle branch prediction - on Intel processors it's comparatively easy to exploit, whereas on AMD processors there are very few situations where anything useful can be done with the exploit because the branch predictor is less prone to interference.

[dalekphalm]

13 hours ago, LAwLz said:

It's news to some people. There have been A LOT of misinformation being spread. Some people still believe only Intel is affected. 

 

Source on the patch not fixing the Meltdown vulnerability? I thought it did, and it only needed hardware revisions to lessen the performance impact. 

Good to know - I was under the impression (based on early info) that the patches were only bandaid solutions, and would not perfectly protect a system.

1 hour ago, colonel_mortis said:

No, Meltdown is prevented by the KPTI changes made in the Linux kernel (moving the kernel to its own separate virtual address space), and other equivalent changes made to other operating systems. It's Spectre that is a fundamental issue, though the effects of Spectre have been mitigated by software and hardware changes.

 

 

Meltdown is an Intel-specific vulnerability, which occurs because the processor doesn't perform all of the permission checks in certain (non-trivial) circumstances.

Spectre is a fundamental problem with the design of recent processors. It's my understanding that any processor which supports speculative evaluation (most remotely recent processors) are vulnerable to Spectre Variant 1, while different microarchitectures are more or less vulnerable to Variant 2 depending on how they handle branch prediction - on Intel processors it's comparatively easy to exploit, whereas on AMD processors there are very few situations where anything useful can be done with the exploit because the branch predictor is less prone to interference.

 

[mr moose]

5 hours ago, dalekphalm said:

Good to know - I was under the impression (based on early info) that the patches were only bandaid solutions, and would not perfectly protect a system.

 

I was under the impression the patches were a band aide solution too,  not because of imperfect protection, I always thought they were solid protection, but more because there was a performance hit and finding a better solution was likely going to be one band aide after the other until physical CPU changes were made.

[dalekphalm]

3 minutes ago, mr moose said:

I was under the impression the patches were a band aide solution too,  not because of imperfect protection, I always thought they were solid protection, but more because there was a performance hit and finding a better solution was likely going to be one band aide after the other until physical CPU changes were made.

Interesting - what I read early on, was before the performance hit was even being talked about.

 

Obviously there was (is?) a lot of changing info and much of what we heard about early on is perhaps suspect and not necessarily accurate anymore.

 

So, if what you and others are saying is correct, that means that the fix should "work" and be secure, but the only way to prevent the performance hit is to fundamentally change the architecture, physically, on the CPU, to work with the fix in mind from the beginning? That makes sense of course, given what we now know.

[mr moose]

17 minutes ago, dalekphalm said:

Interesting - what I read early on, was before the performance hit was even being talked about.

 

Obviously there was (is?) a lot of changing info and much of what we heard about early on is perhaps suspect and not necessarily accurate anymore.

 

So, if what you and others are saying is correct, that means that the fix should "work" and be secure, but the only way to prevent the performance hit is to fundamentally change the architecture, physically, on the CPU, to work with the fix in mind from the beginning? That makes sense of course, given what we now know.

That's the impression I have been getting.  Mind you it is hard because sometimes you have to sift through so much click bait/sensationalist media to find a link to a credible source.  And when you finally do you then need three engineering degrees to decode what they are actually saying.  

[leadeater]

2 hours ago, dalekphalm said:

So, if what you and others are saying is correct, that means that the fix should "work" and be secure, but the only way to prevent the performance hit is to fundamentally change the architecture, physically, on the CPU, to work with the fix in mind from the beginning? That makes sense of course, given what we now know.

This is also my understanding of the situation, with the extra requirement for more complete protection to have existing applications be recompiled with fixes to prevent Spectre. I don't think the OS security update and CPU microcode is the full and total protection but it's very close to it with that little bit extra being the software side.

 

The performance loss should be able to be overcome with CPU architecture changes, likely in conjunction with OS kernel updates to support those changes.

[Zodiark1593]

10 hours ago, leadeater said:

This is also my understanding of the situation, with the extra requirement for more complete protection to have existing applications be recompiled with fixes to prevent Spectre. I don't think the OS security update and CPU microcode is the full and total protection but it's very close to it with that little bit extra being the software side.

 

The performance loss should be able to be overcome with CPU architecture changes, likely in conjunction with OS kernel updates to support those changes.

Not sure how that would help existing users. My desktop PC is probably going to run until it can't actually run, so I would loathe for there to be a permanent performance hit.