1 |
On Thu, Apr 5, 2018 at 12:34 PM, Mick <michaelkintzios@×××××.com> wrote: |
2 |
> |
3 |
> Does the lack of a microcode patch mean the in-kernel and other software fixes |
4 |
> won't be sufficient to protect PCs running these old CPUs? |
5 |
|
6 |
I'm interested if somebody has a more informed answer, but my guess is |
7 |
that it would result in a less efficient fix being applied by the |
8 |
kernel. |
9 |
|
10 |
I'm not sure if Intel actually has any good fixes for meltdown in |
11 |
microcode. The in-kernel fix for that is fairly expensive, and if it |
12 |
could be fixed in microcode that would be a big savings (assuming the |
13 |
microcode didn't add a cost). |
14 |
|
15 |
My understanding is that most of the microcode patches are for spectre |
16 |
and modify the behavior of lfence to block vulnerable speculative |
17 |
execution. This still has some cost to it, but it is minimal. |
18 |
Without the microcode fix I imagine the vulnerabilities could still be |
19 |
fixed via retpolines and similar techniques, at a higher cost. I |
20 |
haven't checked recently but the last time I looked at it even my |
21 |
current Ryzen CPU doesn't have a microcode fix out yet for lfence. |
22 |
|
23 |
I haven't read up on what has changed in the last month or two, but |
24 |
the gist of it is that with spectre you have three options: |
25 |
|
26 |
1. Ignore it. Some code is vulnerable. No performance cost. |
27 |
2. Add a series of instructions to vulnerable code so that |
28 |
speculative execution is blocked on any processor. The code is no |
29 |
longer vulnerable, but those instructions can add some cost (not as |
30 |
bad as with meltdown). |
31 |
3. If the CPU+microcode supports it, add a single lfence instruction |
32 |
to vulnerable code. This will address the vulnerability at a lower |
33 |
cost. |
34 |
|
35 |
In an ideal world we wouldn't need #2. That would not only make the |
36 |
fixes perform better, but it would also mean that compilers wouldn't |
37 |
have to generate code that figures out whether scenario 2 vs 3 applies |
38 |
AT RUNTIME and do the right thing. |
39 |
|
40 |
Now, if 95% of users fall into bucket 3 and 5% fall into bucket 2 you |
41 |
have an interesting situation. Will software developers take the time |
42 |
to ensure that scenario #2 is even covered, except for the most |
43 |
at-risk code (such as browser sandboxes)? |
44 |
|
45 |
Granted, I think in reality an awful lot of software will just fall |
46 |
into bucket #1 for the same reason that we STILL keep finding buffer |
47 |
overflows. That, and people will think of new situations where |
48 |
spectre applies that aren't presently known. I don't think we're at a |
49 |
point where a compiler can reliably determine whether a |
50 |
retpoline/lfence is actually needed. The last time I checked the GCC |
51 |
fixes needed the code to be tagged in some way to tell it to add the |
52 |
protection (when you think about it C doesn't even do bounds checks, |
53 |
let alone figure out when you're about to do a dangerous one). |
54 |
|
55 |
-- |
56 |
Rich |