Intel warns users about the "malfunction" of Specter-Meltdown patches

Do not install patches from Intel to fix Specter vulnerabilities in Linux systems.

Intel on Monday warned that the installation of Specter’s current patch versions ( CVE-2017-5715 ), which Linus Torvalds commented “absolute rubbish”, should be stopped.

Specter (checking the bypass of the boundaries of the array CVE-2017-5753, injection of the target branch CVE-2017-5715 ) and Meltdown (CVE-2017-5754 - “melts” the separation of access to memory pages, is treated with a KPTI patch) are vulnerabilities discovered by researchers earlier this month in many Intel, ARM and AMD processors used in modern PCs, servers and smartphones. They can allow attackers to steal your passwords, encryption keys and other personal information.
')
Since last week, users began to report that after installing the security update package released by Intel, they encountered problems that were not there before. For example, spontaneous reboots and other "unpredictable" system behavior.

Realizing these problems, Intel recommended that OEMs, cloud service providers , system manufacturers, software vendors, and end-users stop installing current update versions until the chip giant develops a solution to address it.

"Currently, we have identified the root cause of the problems for the Broadwell and Haswell platforms and have made significant progress in developing a solution," says an Intel press release on Monday.

“Last weekend we started testing an early version of the updated patch with industry partners. We will publish the final version as soon as testing is completed. "

Meanwhile, in an open email, Linus Torvalds emotionally states that he is unhappy with Intel’s approach to protecting the Linux kernel from Specter and Meltdown vulnerabilities:

“They do crazy things. They do something that does not make sense ... I really do not want these garbage patches to be thoughtlessly sent ... I think we need something better than this garbage. " - said Torvalds.

Using patches from Intel requires users to manually enable and disable patches at boot time, while security patches for such critical vulnerabilities should be applied automatically.

This is due to the fact that the “Indirect Branch Restricted Speculation” or IBRS is one of the three new hardware patches offered by Intel for the microcode CPU, so inefficient that it leads to a serious impact on performance. In other words, to prevent poor performance in tests, Intel suggests users choose between performance and security.

The whole IBRS_ALL feature to me (Linus Torvalds) very clearly says “it’s true,” in benchmarks.

Other fixes are Page Table Isolation (pti) versus Meltdown and Indirect Branch Prediction Barriers (IBPB), as well as IBRS vs. Specter (CVE-2017-5715).

The full text of the call to think again Intel engineers from Linus Torvalds can be found here .

Red Hat, VMware , Lenovo and other vendors have decided to withdraw patches due to user complaints. New Intel patches will be available soon. We will update this news after their release.

Earlier we wrote on Habré about how slower your system will be after patches for Specter-Meltdown.

It is worth noting that before the updates from Intel, Google experts have released a software design retpoline, created by them to protect against Specter attacks and has less overhead.

Read more about Retpoline

Intel has published the results of server performance testing

Previously, performance data was provided for client systems, and on January 17, the results of using systems with security updates on the data center side appeared. These results were obtained in accordance with industry standards and are useful, but ultimately for clients their own workload is more important. To date, server platforms with Intel Xeon Scalable (Skylake) systems with the latest server microarchitecture have been tested.

As expected, the test results show a different impact on performance, which varies depending on specific workloads and configurations. A system with a load that involves more user / kernel privilege changes will have a greater performance hit.


Benchmark Results