Tuesday, April 10th 2018

AMD Announces Steps, Resources for Spectre Mitigations

AMD today announced, via a security blog post penned by their own Mark Papermaster, that they're beginning deployment of mitigations and resources for AMD processors affected by the Spectre exploits. In the blog post, AMD reiterates how exploits based on version 1 of Spectre exploits (GPZ 1 - Google Project Zero Flaw 1) have already been covered by AMD's partners. At the same time, AMD reiterates how their processors are invulnerable to Meltdown exploits (GPZ3), and explains how mitigations for GPZ2 (Spectre) will occur.

These mitigations require a combination of processor microcode updates from OEM and motherboard partners, as well as running the current and fully up-to-date version of Windows. For Linux users, AMD-recommended mitigations for GPZ Variant 2 were made available to Linux partners and have been released to distribution earlier this year.
AMD further related how difficult they expect exploits of the GPZ Variant 2 to be on their CPUs, but say that they have nonetheless worked with customers and partners in order to provide full coverage from such scenarios, by a "combination of operating system patches and microcode updates for AMD processors to further mitigate the risk." A whitepaper detailing the AMD recommended mitigation for Windows is available, as well as links to ecosystem resources for the latest updates.

Operating System Updates for GPZ Variant 2/Spectre
Microsoft is releasing an operating system update containing Variant 2 (Spectre) mitigations for AMD users running Windows 10 (version 1709) today. Support for these mitigations for AMD processors in Windows Server 2016 is expected to be available following final validation and testing.

AMD Microcode Updates for GPZ Variant 2/Spectre
In addition, microcode updates with our recommended mitigations addressing Variant 2 (Spectre) have been released to our customers and ecosystem partners for AMD processors dating back to the first "Bulldozer" core products introduced in 2011. Users should eventually be able to install the microcode patches by downloading BIOS updates provided by PC and server manufacturers and motherboard providers.
Source: AMD Security Bulletin
Add your own comment

27 Comments on AMD Announces Steps, Resources for Spectre Mitigations

#1
ssdpro
Now can they fix their entire product portfolio so their stock price can poke its head above water?

March 2017 (RyZen launch) - $14.90.
Today - $9.98

market cap loss 2.58 billion
Posted on Reply
#2
TheGuruStud
ssdproNow can they fix their entire product portfolio so their stock price can poke its head above water?

March 2017 (RyZen launch) - $14.90.
Today - $9.98

market cap loss 2.58 billion
You can't have anyone pushing progress. That's bad for business. AMD always goes against the grain, so it's punishment time.

Nothing else really explains their stock price. Plenty of companies with no revenue at all, no IP, and no products are somehow valued at millions...or billions. AMD invents leading tech all the time, has a lot of products, insanely valuable IP, AND is turning a profit, again, but it's time to tank the stock. Mmmkay.
Posted on Reply
#3
biffzinker
With today's update from Microsoft I'm getting this from InSpectre. There is however a 3% performance impact on Ryzen.

Posted on Reply
#4
TheGuruStud
biffzinkerWith today's update from Microsoft I'm getting this from InSpectre. There is however a 3% performance impact on Ryzen.
They also crash PCs with their stupid updates, so I wouldn't invest much in this until AMD does a microcode update.
Posted on Reply
#5
R-T-B
TheGuruStudThey also crash PCs with their stupid updates, so I wouldn't invest much in this until AMD does a microcode update.
Intels (early) microcode crashed pcs, not anything to do with ms update.
Posted on Reply
#6
TheGuruStud
R-T-BIntels (early) microcode crashed pcs, not anything to do with ms update.
Remember when the spectre/meltdown patches were installed on AMD computers... Pepperidge farm remembers. Yes, they did crash em on old CPUs. Also, the morons were installing meltdown patches on AMD.... That's how dumb they are. Never trust an entity that stupid.

Also, just their normal windows updates crash PCs lol
Posted on Reply
#7
xkm1948
Meanwhile the assclowns CTS Labs has completely gone silent. I thought they were going to release the rest of their PoC video, but somehow they just stopped. Whoever hired them to do the hit job was probably not too happy with the result and withdrew the funding.
Posted on Reply
#8
evernessince
xkm1948Meanwhile the assclowns CTS Labs has completely gone silent. I thought they were going to release the rest of their PoC video, but somehow they just stopped. Whoever hired them to do the hit job was probably not too happy with the result and withdrew the funding.
Yeah, it doesn't really matter because I doubt we will ever see another report for them (at least under the same name). No one is going to want to pay that company after what they did.
Posted on Reply
#9
Xzibit
Oh, Come on now. They might still be try'n to secure their website (cts-labs.com).
Posted on Reply
#10
R-T-B
XzibitOh, Come on now. They might still be try'n to secure their website (cts-labs.com).
Of what importance is SSL on a site with no user input?

I mean, there is identity verification, but I don't think anyones trying to steal there's, frankly.
TheGuruStudRemember when the spectre/meltdown patches were installed on AMD computers... Pepperidge farm remembers.
That was AMD microcode applied via a microcode patch via MS update, IIRC. I'd say the blame still falls outside MS and vendors need to vet their stuff.
Posted on Reply
#11
lexluthermiester
xkm1948Whoever hired them to do the hit job was probably not too happy with the result and withdrew the funding.
Or they might have signed an NDA. FYI, that tin-hat crap is getting old..
Posted on Reply
#12
eidairaman1
The Exiled Airman
biffzinkerWith today's update from Microsoft I'm getting this from InSpectre. There is however a 3% performance impact on Ryzen.

So minimal, good too
Posted on Reply
#13
evernessince
lexluthermiesterOr they might have signed an NDA. FYI, that tin-hat crap is getting old..
Regardless of if anyone got paid for a "hit job", the way they disclosed the information and the time they gave AMD was very poor. When hedge funds have the information before AMD, they are not a good security firm. In fact given there disclosure statement, it's hard to call them a security firm at all, more like a security profiteer.
Posted on Reply
#14
Patriot
lexluthermiesterOr they might have signed an NDA. FYI, that tin-hat crap is getting old...
Rofl... dots to connect > oo
Calls people conspiratorialist for reading cts-labs disclaimer proclaiming monetary motivation.
Sure they could be under nda, but why?... what would they gain for it?
More likely possibilities are they ran out of monetary motivation or are being hushed by AMD, who knows who cares no need to call people conspiracy theorist when you are throwing out your less backed theories...freaking toxic.
Posted on Reply
#15
eidairaman1
The Exiled Airman
xkm1948Meanwhile the assclowns CTS Labs has completely gone silent. I thought they were going to release the rest of their PoC video, but somehow they just stopped. Whoever hired them to do the hit job was probably not too happy with the result and withdrew the funding.
lexluthermiesterOr they might have signed an NDA. FYI, that tin-hat crap is getting old..
PatriotRofl... dots to connect > oo
Calls people conspiratorialist for reading cts-labs disclaimer proclaiming monetary motivation.
Sure they could be under nda, but why?... what would they gain for it?
More likely possibilities are they ran out of monetary motivation or are being hushed by AMD, who knows who cares no need to call people conspiracy theorist when you are throwing out your less backed theories...freaking toxic.
Knowing cts' location in regards to intel overseas, they very well might of been paid by the blue oval corporation to spread fud by libel to damage AMD's reputation after the whistle was blown on intel for knowing their cpu architectures have vulnerabilities in their designs and never fixing them until now.

Anyways the good news is, AMD took a hard look at their parts and have written formal documentation and are writing microcode/patches for mitigation of these vulnerabilities. @biffzinker says there is minimal performance impact, so to argue here is pointless, take it to private messages if need be.

Carry On
Posted on Reply
#16
evernessince
R-T-BOf what importance is SSL on a site with no user input?

I mean, there is identity verification, but I don't think anyones trying to steal there's, frankly.



That was AMD microcode applied via a microcode patch via MS update, IIRC. I'd say the blame still falls outside MS and vendors need to vet their stuff.
Actually there is user input on the "Contact Us" page. I was messing around with their site and it appears they block https as well, strange for a security website. Digging through the website's code, it appears that it was made through a WYSIWYG and not by a professional coder. It's always easy to tell because they have a bunch of useless code that could be done much more efficiently and the classes have generic names. Not something you would want to deal with if you wanted a more advanced website. In addition their submission form doesn't appear to have any encryption. Without HTTPS, this data is fully readable to any party.

Their about us page also seems to have been stripped of the list of "senior employees" they used to have. I'm guessing they did this to prevent their names from being directly harmed. Right now, without those, I've seen better websites for one-man startup businesses. Their stripping of personal information definitely makes them appear more sketchy, if that's possible.
Posted on Reply
#17
R-T-B
evernessinceActually there is user input on the "Contact Us" page. I was messing around with their site and it appears they block https as well, strange for a security website. Digging through the website's code, it appears that it was made through a WYSIWYG and not by a professional coder. It's always easy to tell because they have a bunch of useless code that could be done much more efficiently and the classes have generic names. Not something you would want to deal with if you wanted a more advanced website. In addition their submission form doesn't appear to have any encryption. Without HTTPS, this data is fully readable to any party.

Their about us page also seems to have been stripped of the list of "senior employees" they used to have. I'm guessing they did this to prevent their names from being directly harmed. Right now, without those, I've seen better websites for one-man startup businesses. Their stripping of personal information definitely makes them appear more sketchy, if that's possible.
Interesting, thanks for the insight.
Posted on Reply
#18
sutyi
biffzinkerWith today's update from Microsoft I'm getting this from InSpectre. There is however a 3% performance impact on Ryzen.

My R5 1600 seems to be performing the same after said patch, Cinebench gave the exact same score, while other AIDA64 CPU bench score were basically identical.
Posted on Reply
#19
ssdpro
TheGuruStudNothing else really explains their stock price. Plenty of companies with no revenue at all, no IP, and no products are somehow valued at millions...or billions. AMD invents leading tech all the time, has a lot of products, insanely valuable IP, AND is turning a profit, again, but it's time to tank the stock. Mmmkay.
That's the whole problem: AMD isn't innovating product. Intel pushed an 8-core 16-thread part almost 5 years ago. It wasn't even running a dramatically lower frequency, 3.5GHz and is already discontinued. What AMD did innovate is getting those parts down in price but that doesn't translate to profit and stock value at low volume sales.

The entire market is still up 20% in the last year. Just since RyZen launched AMD is down from 14.90 --> 9.98. In the same window, Intel went from 36.07 --> 51.27. Even on the gfx side nvidia has gone from 108.93 --> 227.91. AMD is just getting crushed by the competition because the product is limp. It is good product, I run AMD on my main system. It just isn't special or innovative.
Posted on Reply
#20
Vya Domus
ssdproAMD is just getting crushed by the competition because the product is limp.
We keep hearing that "AMD is getting crushed" for what , more than a decade now ? How does that work ?
Posted on Reply
#21
R0H1T
ssdproThat's the whole problem: AMD isn't innovating product. Intel pushed an 8-core 16-thread part almost 5 years ago. It wasn't even running a dramatically lower frequency, 3.5GHz and is already discontinued. What AMD did innovate is getting those parts down in price but that doesn't translate to profit and stock value at low volume sales.

The entire market is still up 20% in the last year. Just since RyZen launched AMD is down from 14.90 --> 9.98. In the same window, Intel went from 36.07 --> 51.27. Even on the gfx side nvidia has gone from 108.93 --> 227.91. AMD is just getting crushed by the competition because the product is limp. It is good product, I run AMD on my main system. It just isn't special or innovative.
Maybe not special but definitely innovative, unless you can name competition to Infinity Fabric or the chiplet concept that AMD has pushed even for servers. If we count GPUs then AMD has been leading the push towards Mantle & it's evolution Vulkan, I doubt you can find an equivalent from Intel or Nvidia!

In the same time we have Intel coming up with Optane, thanks to Micron, & a lot of new chipsets :ohwell:
Posted on Reply
#22
sutyi
ssdproThat's the whole problem: AMD isn't innovating product. Intel pushed an 8-core 16-thread part almost 5 years ago. It wasn't even running a dramatically lower frequency, 3.5GHz and is already discontinued. What AMD did innovate is getting those parts down in price but that doesn't translate to profit and stock value at low volume sales.

The entire market is still up 20% in the last year. Just since RyZen launched AMD is down from 14.90 --> 9.98. In the same window, Intel went from 36.07 --> 51.27. Even on the gfx side nvidia has gone from 108.93 --> 227.91. AMD is just getting crushed by the competition because the product is limp. It is good product, I run AMD on my main system. It just isn't special or innovative.
Not be the fuel to the utterly pointless Intel v. AMD bonfire, but exactly how many non HEDT or server based 8C/16T CPUs are were available currently from from Intel?

As for stock markets... Just... I can't even. Intel has been tripping head over heals with launching CFL-S and SKL-X in a hurry, not to mention the almost continuous security problems, where the workarounds and security patches caused some serious performance hits on the server segment. Then the stockmarket is projecting cloud storage investments involving Intel big time, while AMD EPYC is basically a better choice on the server end? How does that work?

On the GPU market tho... I can't say anything positive. The ball has been dropped about 4 years ago and rolled even further I think and it still haven't been picked up by RTG. Only one can hope tho.
Posted on Reply
#23
evernessince
ssdproThat's the whole problem: AMD isn't innovating product. Intel pushed an 8-core 16-thread part almost 5 years ago. It wasn't even running a dramatically lower frequency, 3.5GHz and is already discontinued. What AMD did innovate is getting those parts down in price but that doesn't translate to profit and stock value at low volume sales.

The entire market is still up 20% in the last year. Just since RyZen launched AMD is down from 14.90 --> 9.98. In the same window, Intel went from 36.07 --> 51.27. Even on the gfx side nvidia has gone from 108.93 --> 227.91. AMD is just getting crushed by the competition because the product is limp. It is good product, I run AMD on my main system. It just isn't special or innovative.
You are right, investors care about one thing: making money. AMD hasn't done that in spades yet. I do disagree on AMD not innovating though. Infinity Fabric and MCMs in general are a breakthough technology and will allow higher density, cheaper chips. Intel and Nvidia either need to get an MCM product out as soon as possible or engage in blocking AMD out of the market because once AMD gets it's MCM design to higher die counts, it's not financially possible for Intel to make massive monolithic dies that can compete with something like a 64 core MCM. It would simply cost Intel too much money. There's a reason AMD can sell it's top end processor for half of what Intel does even though it has more cores. As die size increases, the cost of production increases exponentially. MCMs solve that issue completely, thus allowing manufacturers to make chips that shatter the reticle limit.
sutyiNot be the fuel to the utterly pointless Intel v. AMD bonfire, but exactly how many non HEDT or server based 8C/16T CPUs are were available currently from from Intel?

As for stock markets... Just... I can't even. Intel has been tripping head over heals with launching CFL-S and SKL-X in a hurry, not to mention the almost continuous security problems, where the workarounds and security patches caused some serious performance hits on the server segment. Then the stockmarket is projecting cloud storage investments involving Intel big time, while AMD EPYC is basically a better choice on the server end? How does that work?

On the GPU market tho... I can't say anything positive. The ball has been dropped about 4 years ago and rolled even further I think and it still haven't been picked up by RTG. Only one can hope tho.
The stock market doesn't follow facts, there is allot of dumb money that just follows trends and brands and Intel has both of those with it. Remember valiant? That comapny went from $242 to the $16 it's at now. Allot of people lost tons of cash on that company because they couldn't see that mergers and aquisitions wasn't a viable long term strategy when it should be obvious. That's putting aside that how they made money was scummy.

Wall Street only cares about who's going to give them money, illegally or otherwise.
Posted on Reply
#24
lexluthermiester
sutyiMy R5 1600 seems to be performing the same after said patch, Cinebench gave the exact same score, while other AIDA64 CPU bench score were basically identical.
Not surprising. The biggest impact to performance is going to be ram/storage access. Did you benchmark your ram and drive access before and after the patch?
Posted on Reply
#25
R-T-B
Vya DomusWe keep hearing that "AMD is getting crushed" for what , more than a decade now ? How does that work ?
Debt.
Posted on Reply
Add your own comment
Nov 29th, 2024 08:10 EST change timezone

New Forum Posts

Popular Reviews

Controversial News Posts