Spectre & Meltdown

[Warner Losh]

On Jan 13, 2018 11:36 AM, "Paul Koning via cctalk" <cctalk at classiccmp.org>
wrote:



> On Jan 13, 2018, at 1:22 PM, Dave Wade via cctalk <cctalk at classiccmp.org>
wrote:
>
> ...
> It delayed telling the world to allow time for OS providers to apply
fixes. This is now standard and the delays are defined...
>
> http://abcnews.go.com/Technology/wireStory/intel-
fixing-security-vulnerability-chips-52122993
>
> but it looks like in this case it leaked early. Similar bugs affect ARM,
AMD and PowerPC but nothing from them either. IBM won't tell the world (it
will tell customers, but I am not a customer) if and how it affects Z.

There are two bugs that are largely unrelated other than the fact they both
start from speculative execution.  One is "Meltdown" which is specific to
Intel as far as is known.  The other is "Spectre" which is a pretty much
unavoidable side effect of the existence of speculative execution and
appears to apply to multiple architectures.  There may be variations; I
assume some designs have much shorter speculation pipelines than others and
if so would be less affected.

Meltdown has a software workaround (it could also be fixed in future chips
by changing how speculative loads work, to match what other companies
did).


Sorta. A 10% performance hit and tthe workaround is extensive. So it's
forcing everyone to eat a shit sandwich to work around it.

Spectre needs software fixes, possibly along with microcode changes (for
machines that have such a thing).  You're likely to hear more when the
fixes are available; it would not make sense to have much discussion before
then for the reason you mentioned at the top.


Spectre for Intel requires microcode changes and OS level changes to cope,
and changes to the compiler for retpoline support. The os guys need to talk
about their piece a lot, so it needs disclosure as well... it's a smaller
shit sandwich in terms of performance hit...

Warner