Thanks HH.

So basically just Variant 2 is noteworthy (but not necessarily crucial). At least a high-up representative from AMD finally gave a solid answer. I was getting a bit tired of all the pussyfooting AMD was doing for the past couple weeks.

Didn't AMD basically start with "We're not affected" when the news first broke? Long way to go from "not" to two variants actually being applicable. Sure, Meltdown is Intel only, but Spectre might be as bad or possibly even worse in the long run.

nevcairiel:

Didn't AMD basically start with "We're not affected" when the news first broke? Long way to go from "not" to two variants actually being applicable. Sure, Meltdown is Intel only, but Spectre might be as bad or possibly even worse in the long run.

No, it isn't. Meltdown is by far the scariest CPU bug I have ever seen - Spectre comes nowhere close to it.

nevcairiel:

Didn't AMD basically start with "We're not affected" when the news first broke? Long way to go from "not" to two variants actually being applicable. Sure, Meltdown is Intel only, but Spectre might be as bad or possibly even worse in the long run.

I don't recall AMD saying they weren't affected, though as I mentioned in my last post, they seemed to be intentionally vague about all of this. What I remember is they were being dismissive of its severity. To be fair, they weren't totally wrong in doing so - from what I heard, you need physical access to the system to exploit the bug (on AMD), in which case the user would have bigger things to worry about. At least in Linux, they seem to add patches that would exclude them in some of the recent kernel bug fixes. It's all a bit difficult to keep track of, but at least today we finally have a more clear answer.

D3M1G0D:

No, it isn't. Meltdown is by far the scariest CPU bug I have ever seen - Spectre comes nowhere close to it.

Thats the "simple" view of it. Both achieve the same thing, leaking information. Meltdown is easier to exploit and more of a straight-forward bug in the CPUs in question. However, Spectre is not a "bug" as such, but a fundamental concept of any speculative execution on CPUs (so basically, any modern CPU across vendors and architectures) - which makes Spectre far more scary in the long run from the sheer scale of it. Its also much harder to fully mitigate (if even at all without fundamental hardware design changes). The fact alone that Spectre basically effects all modern CPUs, from x86 to ARM, POWER and who knows what else should scare you.

nevcairiel:

Thats the "simple" view of it. Both achieve the same thing, leaking information. Meltdown is easier to exploit and more of a straight-forward bug in the CPUs in question. However, Spectre is not a "bug" as such, but a fundamental concept of any speculative execution on CPUs (so basically, any modern CPU across vendors and architectures) - which makes Spectre far more scary in the long run from the sheer scale of it. Its also much harder to fully mitigate (if even at all without fundamental hardware design changes). The fact alone that Spectre basically effects all modern CPUs, from x86 to ARM, POWER and who knows what else should scare you.

I don't see much of a threat from Spectre. Unlike Meltdown, the ability to get useful, sensitive data is extremely rare, and there are ways to mitigate it through software and preemptive coding (speaking as a professional computer programmer, it won't take that much work to redesign for it). Combine that with OS patches and/or BIOS updates and I don't see it as a major threat. Like I said, Meltdown is the scariest bug I have ever seen, breaking down any and all security checks and able to read reams of sensitive data. Spectre is more pervasive but far less dangerous, and I won't lose any sleep over it.

Those security flaws wouldn't be scary at all if they were patched right away properly, not half heartedly and technically lacking like with AMD systems and their non-bootability issues, not producing random reboots in Haswell systems, and that's just what we know so far. We've yet to see any real exploit, and so far (if you don't consider the possible damage) all we've got from this is a slow down of systems and more borken patches / updates.

fantaskarsef:

Those security flaws wouldn't be scary at all if they were patched right away properly, not half heartedly and technically lacking like with AMD systems and their non-bootability issues, not producing random reboots in Haswell systems, and that's just what we know so far. We've yet to see any real exploit, and so far (if you don't consider the possible damage) all we've got from this is a slow down of systems and more borken patches / updates.

I'm not sure you fully understand this situation. Considering how long these issues were known, I agree it took a little too long to patch the problems. However, the issues with Haswells and outdated AMD CPUs is something I would rather blame on Microsoft. To my knowledge, other OSes aren't getting these issues. But more importantly, slow downs aren't a side effect of these patches - slow downs are the sacrifice of these patches. The performance loss was predicted before anyone even tested it. That's because the security risk itself was designed to improve performance. So, the only way to quickly and effectively protect users from this bug is to simply disable speculative execution, and therefore the losses associated with it.

schmidtbag:

I'm not sure you fully understand this situation. Considering how long these issues were known, I agree it took a little too long to patch the problems. However, the issues with Haswells and outdated AMD CPUs is something I would rather blame on Microsoft. To my knowledge, other OSes aren't getting these issues. But more importantly, slow downs aren't a side effect of these patches - slow downs are the sacrifice of these patches. The performance loss was predicted before anyone even tested it. That's because the security risk itself was designed to improve performance. So, the only way to quickly and effectively protect users from this bug is to simply disable speculative execution, and therefore the losses associated with it.

Well, I am fairly aware that the issues here come from the way that Intel's chips "predict" usage in the first place, so thanks for your consideration. I've read the links posted here by others (you iirc too). Then again, deactivating those speculative executions does not make a system not boot or reboot unprovoced by the user. By the way, google has found a software resolution with marginal performance impact on their server systems while still keeping their systems secure. https://www.blog.google/topics/google-cloud/protecting-our-google-cloud-customers-new-vulnerabilities-without-impacting-performance/

fantaskarsef:

Well, I am fairly aware that the issues here come from the way that Intel's chips "predict" usage in the first place, so thanks for your consideration. I've read the links posted here by others (you iirc too).

Well, that's why disabling this feature results in performance losses. So far, most of the performance losses have been very minimal - seems to me that just tasks that are both heavy in I/O and CPU load take the hardest hits, but otherwise everything seems to be less than a 5% loss.

Then again, deactivating those speculative executions does not make a system not boot or reboot unprovoced by the user.

That's true - it shouldn't do that. This is why it's specifically a MS issue, since Linux and FreeBSD (which, for the record, have independently made their own patches) are not known to have issues.