US Lawmakers to Pull Up Intel, ARM, Microsoft, and Amazon for Spectre Secrecy

[londiste]

My apologies, reading fail. The article says as early as June. I have read elsewhere January and Wikipedia state's that the CVE's were issued back in Feb: https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)#History
It does also mention that Meltdown wasn't (independently) discovered until July.

Thank you for the link. That wiki article has evolved into a pretty good one
That CVE assigning in February is interesting. Wiki has a bit of an error there, these were not assigned to Intel but assigned by Intel as CNA (CVE Numbering Authority). I am really curious about the background though, like who requested those.
Wiki article says it was discovered (or in reality, exploit found) in June by two different teams and again in December by third one. That third one was in the article you originally pointed to - when they went to Intel in December and said they discovered this, Intel responded that they already know (as it has been reported back in June).

 

[ZeDestructor]

My apologies, reading fail. The article says as early as June. I have read elsewhere January and Wikipedia state's that the CVE's were issued back in Feb: https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)#History
It does also mention that Meltdown wasn't (independently) discovered until July.

As I said in my earlier reply, they were different vulnerabilities. Meltdown is the easy one to fix (at potentially huge performance cost), but the full Spectre attack wasn't properly discovered until June 2017 by Project Zero. The full set was also independently being fully discovered later in December 2017 to January 2017, which led to the embargo being pulled to earlier.

 

[silkstone]

As I said in my earlier reply, they were different vulnerabilities. Meltdown is the easy one to fix (at potentially huge performance cost), but the full Spectre attack wasn't properly discovered until June 2017 by Project Zero. The full set was also independently being fully discovered later in December 2017 to January 2017, which led to the embargo being pulled to earlier.

Meltdown has yet to be fixed.

 

[ZeDestructor]

Meltdown has yet to be fixed.

Meltdown's basically been fixed if you have the patch installed (it's a fairly simple fix too - just flush the TLB before and after every syscall). Unfortunately, MS bundled it with the other Spectre fixes, and had to pull the patch when it started BSODing machines left right and center. On my machines, it's working wonderfully.. I haven't even observed any real performance losses in everyday use and gaming. I'm sure I could measure perf drops in VMs and such if I could be arsed benchmarking it, but this is my desktop and laptop.. not my VM host. As for the VM host, my VM load is so low CPU-wise that I don't even care even if it did have the full 30% penalty. Neither do the cloud providers and users, for the most part: they'll just add as many more machines as they need to maintain their required performance.

 

[silkstone]

Meltdown's basically been fixed if you have the patch installed (it's a fairly simple fix too - just flush the TLB before and after every syscall). Unfortunately, MS bundled it with the other Spectre fixes, and had to pull the patch when it started BSODing machines left right and center. On my machines, it's working wonderfully.. I haven't even observed any real performance losses in everyday use and gaming. I'm sure I could measure perf drops in VMs and such if I could be arsed benchmarking it, but this is my desktop and laptop.. not my VM host. As for the VM host, my VM load is so low CPU-wise that I don't even care even if it did have the full 30% penalty. Neither do the cloud providers and users, for the most part: they'll just add as many more machines as they need to maintain their required performance.

The CPU microcode update causes machines to reboot much more frequently. The extent to which has forced Microsoft to nullify the patch and lead to many vendors recommending it not be installed. I wouldn't call that a working fix by any stretch of the imagination, even if it works okay in your particular case.

 

[ZeDestructor]

The CPU microcode update causes machines to reboot much more frequently. The extent to which has forced Microsoft to nullify the patch and lead to many vendors recommending it not be installed. I wouldn't call that a working fix by any stretch of the imagination, even if it works okay in your particular case.

That doesn't touch Meltdown/Spectre 3, only Spectre 1 and 2 (yes, there are 3 vulns in question here). Also, only Spectre 2 needs the microcode update - the other 2 are entirely done at the kernel level.

 

[R-T-B]

The CPU microcode update causes machines to reboot much more frequently. The extent to which has forced Microsoft to nullify the patch and lead to many vendors recommending it not be installed. I wouldn't call that a working fix by any stretch of the imagination, even if it works okay in your particular case.

The microcode fixes have nothing to do with meltdown.

 

[silkstone]

That doesn't touch Meltdown/Spectre 3, only Spectre 1 and 2 (yes, there are 3 vulns in question here). Also, only Spectre 2 needs the microcode update - the other 2 are entirely done at the kernel level.

I must be getting my wires crossed then. I assumed that as only Intel CPUs were vulnerable to meltdown the microcode updates were for meltdown.

Still, the Spectre vulnerabilities have been known for a long time. They informed some vendors back in June, which means that they would have know about them way before then.

 

[londiste]

I must be getting my wires crossed then. I assumed that as only Intel CPUs were vulnerable to meltdown the microcode updates were for meltdown.

Microcode updates are for Spectre 2. In desktop space, AMD will get microcode updates for it as well:
https://www.amd.com/en/corporate/speculative-execution

AMD will make optional microcode updates available to our customers and partners for Ryzen and EPYC processors starting this week. We expect to make updates available for our previous generation products over the coming weeks.

Edit: Now that I read this statement again, isn't that "optional" exactly what Linus was angry about when reviewing Intel patches?

 

[Prima.Vera]

I want to see fines in the order of dozen of billions! Those crappy corporations deserve all that is coming to them. I hope EU and China will follow the trend.

 

[ZeDestructor]

I want to see fines in the order of dozen of billions! Those crappy corporations deserve all that is coming to them. I hope EU and China will follow the trend.

Why billions, though? The only real missteps Intel, Google and the other partners did was keep it in absolute secrecy and release some unstable patches... The secrecy while understandable, should have been relaxed when nearing release, but the patches? Spectre/Meltdown are seriously hard problems to fix without shipping brand spanking new silicon.. and to top it all off, any and all software fixes will be inherently unstable dirty hacks, that'll have more code added to to be less unstable.

Personally, I think that they (meaning Intel, Google, MS, Linux kernel community etc) should take a fine in the 10s to 100s of millions for keeping everyone not involved directly in the dark. Other than that, they handled things passably well on the pure engineering side.