| 1 |
On Thu, Apr 5, 2018 at 12:34 PM, Mick <michaelkintzios@×××××.com> wrote: |
| 2 |
> |
| 3 |
> Does the lack of a microcode patch mean the in-kernel and other software fixes |
| 4 |
> won't be sufficient to protect PCs running these old CPUs? |
| 5 |
|
| 6 |
I'm interested if somebody has a more informed answer, but my guess is |
| 7 |
that it would result in a less efficient fix being applied by the |
| 8 |
kernel. |
| 9 |
|
| 10 |
I'm not sure if Intel actually has any good fixes for meltdown in |
| 11 |
microcode. The in-kernel fix for that is fairly expensive, and if it |
| 12 |
could be fixed in microcode that would be a big savings (assuming the |
| 13 |
microcode didn't add a cost). |
| 14 |
|
| 15 |
My understanding is that most of the microcode patches are for spectre |
| 16 |
and modify the behavior of lfence to block vulnerable speculative |
| 17 |
execution. This still has some cost to it, but it is minimal. |
| 18 |
Without the microcode fix I imagine the vulnerabilities could still be |
| 19 |
fixed via retpolines and similar techniques, at a higher cost. I |
| 20 |
haven't checked recently but the last time I looked at it even my |
| 21 |
current Ryzen CPU doesn't have a microcode fix out yet for lfence. |
| 22 |
|
| 23 |
I haven't read up on what has changed in the last month or two, but |
| 24 |
the gist of it is that with spectre you have three options: |
| 25 |
|
| 26 |
1. Ignore it. Some code is vulnerable. No performance cost. |
| 27 |
2. Add a series of instructions to vulnerable code so that |
| 28 |
speculative execution is blocked on any processor. The code is no |
| 29 |
longer vulnerable, but those instructions can add some cost (not as |
| 30 |
bad as with meltdown). |
| 31 |
3. If the CPU+microcode supports it, add a single lfence instruction |
| 32 |
to vulnerable code. This will address the vulnerability at a lower |
| 33 |
cost. |
| 34 |
|
| 35 |
In an ideal world we wouldn't need #2. That would not only make the |
| 36 |
fixes perform better, but it would also mean that compilers wouldn't |
| 37 |
have to generate code that figures out whether scenario 2 vs 3 applies |
| 38 |
AT RUNTIME and do the right thing. |
| 39 |
|
| 40 |
Now, if 95% of users fall into bucket 3 and 5% fall into bucket 2 you |
| 41 |
have an interesting situation. Will software developers take the time |
| 42 |
to ensure that scenario #2 is even covered, except for the most |
| 43 |
at-risk code (such as browser sandboxes)? |
| 44 |
|
| 45 |
Granted, I think in reality an awful lot of software will just fall |
| 46 |
into bucket #1 for the same reason that we STILL keep finding buffer |
| 47 |
overflows. That, and people will think of new situations where |
| 48 |
spectre applies that aren't presently known. I don't think we're at a |
| 49 |
point where a compiler can reliably determine whether a |
| 50 |
retpoline/lfence is actually needed. The last time I checked the GCC |
| 51 |
fixes needed the code to be tagged in some way to tell it to add the |
| 52 |
protection (when you think about it C doesn't even do bounds checks, |
| 53 |
let alone figure out when you're about to do a dangerous one). |
| 54 |
|
| 55 |
-- |
| 56 |
Rich |
Archives