# New Linux microcode package for Intel systems - any performance impact worth noting?



## tabascosauz (Jun 10, 2020)

So my system lists a microcode update as of today. Seems like the focus of this one is on SA-00329 and SA-00320.






The former seems to patch the L1D exploit that's been floating around as of late, but the patch notes state that there is no known vulnerability using said exploit. I'm no expert on this, so all I know on the subject is that Linus Torvalds blasted Amazon's patch for L1D for being inappropriately heavy handed and performance-impacting in implementing mandatory flushing of L1D cache. Seems this patch does the same.

The latter SRBDS seems to be some sort of new strain of MDS surrounding RDRAND. I don't know anything about this, but others seem to:





Irony is that apparently SGX Enabled is a suitable protection for this vulnerability. I can't use SGX because I need undervolting on both Windows and Linux which means I can't use the Plundervolt (SA-00289) mitigation, in turn meaning it was safer to keep SGX off in that situation if not running the microcode update.

I don't usually care much for these in relation to my old 4790K, but this is my laptop with a 8550U and Hyperthreading already necessarily disabled for thermal throttling reasons, so if there's a bigger performance impact to these mitigations (which some of these technical reports seem to suggest) I wonder if it's better just to go without the microcode.

Thoughts on whether the microcode is worth it? The two vulnerabilities are rated at 2.8 and 6.5 out of 10, so not quite on the same level as the more famous exploits. The SRBDS vulnerability affects all Core from Ivy Bridge to Comet Lake-U, but apparently not Comet-H or Comet-S.


----------



## johnspack (Jun 10, 2020)

Would like to know this myself,  it's even showing up in my vms.  I think I'll leave it out for now.


----------



## tabascosauz (Jun 10, 2020)

johnspack said:


> Would like to know this myself,  it's even showing up in my vms.  I think I'll leave it out for now.



So SRBDS has a layman's name now: Crosstalk. Another fancy name to parrot against Intel products lol. Anyways, it's not that the vulnerability only affects RDRAND, RDSEED and EGETKEY; it's that Intel only patched execution of those instructions as it thought those were the most important. Result is that the rest remain vulnerable to varying degrees, and the SA-00320 fix doesn't completely nuke performance. 

It seems that both SA-00320 and SA-00329 involve similar techniques by flushing memory/cache more often. 

These researchers are saying something different about SGX:





Same as with Plundervolt, looks like SGX should still remain disabled. Ironic as always.

If the performance impact of Intel's fix is minor as claimed, I feel a little better about SA-00320. On the other hand, still no word on the L1D fix SA-00329, probably the bigger culprit here.


----------

