'Kernel memory leaking' Intel processor design flaw forces Linux, Windows redesign

mercurial

MyBB Legend
Joined
Jun 12, 2007
Messages
40,714
A fundamental design flaw in Intel's processor chips has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug.

Programmers are scrambling to overhaul the open-source Linux kernel's virtual memory system. Meanwhile, Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday: these changes were seeded to beta testers running fast-ring Windows Insider builds in November and December.

Crucially, these updates to both Linux and Windows will incur a performance hit on Intel products. The effects are still being benchmarked, however we're looking at a ballpark figure of five to 30 per cent slow down, depending on the task and the processor model. More recent Intel chips have features – such as PCID – to reduce the performance hit. Your mileage may vary.

Similar operating systems, such as Apple's 64-bit macOS, will also need to be updated – the flaw is in the Intel x86-64 hardware, and it appears a microcode update can't address it. It has to be fixed in software at the OS level, or go buy a new processor without the design blunder.

Details of the vulnerability within Intel's silicon are under wraps: an embargo on the specifics is due to lift early this month, perhaps in time for Microsoft's Patch Tuesday next week. Indeed, patches for the Linux kernel are available for all to see but comments in the source code have been redacted to obfuscate the issue.

However, some details of the flaw have surfaced, and so this is what we know.

Full story
 

PhireSide

Honorary Master
Joined
Dec 31, 2006
Messages
13,308
5 - 30% is a pretty big hit IMHO.

Maybe I will use this as an excuse to upgrade :p
 

konfab

Honorary Master
Joined
Jun 23, 2008
Messages
31,639
The fix is to separate the kernel's memory completely from user processes using what's called Kernel Page Table Isolation, or KPTI. At one point, Forcefully Unmap Complete Kernel With Interrupt Trampolines, aka F U C K W I T, was mulled by the Linux kernel team, giving you an idea of how annoying this has been for the developers.
:crylaugh:

R100 says that Torvalds was behind that.
 

The_Librarian

Another MyBB
Super Moderator
Joined
Nov 20, 2015
Messages
33,228
Is AMD an option at this stage?

Chipzilla's gotten too big, need to be taken down a notch or two.
 

karnuffel

Expert Member
Joined
Jul 5, 2010
Messages
4,539
How does Ryzen perform when compared against a Xeon? :confused:

Before or after the kernel updates ;). I found this

Closing Thoughts
First of all, we have to emphasize that we were only able to spend about a week on the AMD server, and about two weeks on the Intel system. With the complexity of both server hardware and especially server software, that is very little time. There is still a lot to test and tune, but the general picture is clear.

We can continue to talk about Intel's excellent mesh topology and AMD strong new Zen architecture, but at the end of the day, the "how" will not matter to infrastructure professionals. Depending on your situation, performance, performance-per-watt, and/or performance-per-dollar are what matters.

The current Intel pricing draws the first line. If performance-per-dollar matters to you, AMD's EPYC pricing is very competitive for a wide range of software applications. With the exception of database software and vectorizable HPC code, AMD's EPYC 7601 ($4200) offers slightly less or slightly better performance than Intel's Xeon 8176 ($8000+). However the real competitor is probably the Xeon 8160, which has 4 (-14%) fewer cores and slightly lower turbo clocks (-100 or -200 MHz). We expect that this CPU will likely offer 15% lower performance, and yet it still costs about $500 more ($4700) than the best EPYC. Of course, everything will depend on the final server system price, but it looks like AMD's new EPYC will put some serious performance-per-dollar pressure on the Intel line

Note: I was lazy and did not read it all, I only copied and pasted the first part of the conclusion :p
 

itareanlnotani

Expert Member
Joined
Sep 14, 2008
Messages
4,962
Telling that Intel's CEO sold the maximum amount of shares he held late last year, they knew about this a while ago.
 

The_Librarian

Another MyBB
Super Moderator
Joined
Nov 20, 2015
Messages
33,228
Ryzen is their consumer product. Their Epyc line is the competitor to Xeons.

Compares pretty well especially in regards to IO and price to performance.

Was about to ask why the graph (link provided a few posts above) shows Xeons outperforming AMD's chippery.

Should be interesting going forward.
 

genetic

Honorary Master
Joined
Apr 26, 2008
Messages
36,843
Was about to ask why the graph (link provided a few posts above) shows Xeons outperforming AMD's chippery.

Should be interesting going forward.

The latest gen i9 and and Xeon line flagship processors outperform the Ryzen architecture in both single and multithreaded applications - but are a lot more expensive. Ryzen is the best bang for your buck.
 

The_Librarian

Another MyBB
Super Moderator
Joined
Nov 20, 2015
Messages
33,228
The latest gen i9 and and Xeon line flagship processors outperform the Ryzen architecture in both single and multithreaded applications - but are a lot more expensive. Ryzen is the best bang for your buck.

Sure will be bringing this up with the Bossly Unit next week as we are in for a new server etc.
 

DrJohnZoidberg

Honorary Master
Joined
Jul 24, 2006
Messages
22,858
Sure will be bringing this up with the Bossly Unit next week as we are in for a new server etc.

They're especially well suited if you need to connect a lot of high speed storage and/or memory as they have an insane amount of PCI lanes.

Depending on the application it would be wise just to find benchmarks comparing chips before making any purchasing decisions though :)
 

snoopdoggydog

Expert Member
Joined
May 7, 2012
Messages
1,929
Security flaw patch for Intel CPU's could result in a huge performance hit

It has been revealed that virtually all Intel processors that launched in the past decade have a significant chip-level security flaw that could result in certain content - which could include passwords - in protected kernel memory being accessed by malicious code. The problem is so pervasive that it cannot be fixed with a simple patch, but requires an OS-level overwrite of the kernel.

The security flaw, which is baked in on Intel's x86/x64 hardware, is under heavy embargo due to its nature and the risk involved. However, from what could be ascertained by The Register, it has to do with how Intel processors manage kernel executions. Whenever a program needs to execute a command or do anything at all, the processor hands over control to the kernel. To make sure this switching back and forth is executed as fast as possible, the kernel remains in all processes' virtual memory address spaces, even after the processor switches back to user mode. This negated the need for the system to dump cached data, and reload information from memory.

However, this presents an opportunity ripe for exploitation. Since the kernel remains in virtual memory, this could potentially be accessed by database programs or JavaScript exploits in modern web browsers. Recent Intel processors have Process-Context Identifiers (PCID) enabled, which lessens the performance impact of the kernel Page Table Isolation (PTI) workaround being implemented. The aforementioned fix places the kernel in its own dedicated separate address space so it cannot be accessed by any running process.

Since the PTI patch significantly increases the overhead required to execute a process, the performance impact on Intel processors will be significant. Initial testing on Linux has revealed results that show an up to 18% degradation in the speed at which some CPU's execute IO-intensive tasks. Although AMD processors are not affected by the flaw, initial patching on Linux has resulted in its processors slowing down significantly as well. It has since then been amended not to enable the fix for AMD based architecture.

The CPU-level flaw will have a major impact on cloud computing providers, including Amazon EC2, Azure, and Google CE. Microsoft has announced that its Azure cloud will undergo maintenance and reboots on January 10, at which time it will reportedly patch the vulnerability. Amazon has issued a warning email that pointed to a major security update rolling out this Friday.

Operating systems affected by this vulnerability include Microsoft Windows, 64-bit macOS versions, and Linux. The Linux community has already rolled out a patch as mentioned above which can be viewed here, and Microsoft is widely expected to issue a fix on Patch Tuesday. Users on its fast-ring Insider program have already received the patch in November, and December last year.

As for details surrounding this flaw, it is under wraps until later this month.

https://www.neowin.net/news/securit...l-cpus-could-result-in-a-huge-performance-hit

https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw

lol
 

tp3to

Senior Member
Joined
Jul 30, 2009
Messages
964
Estimated performance hit is for those running VM only. Normal day to day processes for example gaming will have very minimal performance difference.
 

JayM

Expert Member
Joined
Oct 30, 2005
Messages
3,460
Estimated performance hit is for those running VM only. Normal day to day processes for example gaming will have very minimal performance difference.

Yeah, but think of all the hosting providers who are going to get reamed by this...it's like all of them.
 

Johnatan56

Honorary Master
Joined
Aug 23, 2013
Messages
30,310
Estimated performance hit is for those running VM only. Normal day to day processes for example gaming will have very minimal performance difference.

Depends on the game, I've only seen benchmarks of games that aren't really CPU bound. I'm also wondering on the impact on older CPU vs newer.
 
Top