All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Your Intel x86 CPU is Deeply Flawed (Meltdown/Spectre)
Thanks to @Infinity for sharing this...
https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
"It is understood the bug is present in modern Intel processors produced in the past decade. It allows normal user programs – from database applications to JavaScript in web browsers – to discern to some extent the contents of protected kernel memory.
"The fix is to separate the kernel's memory completely from user processes using what's called Kernel Page Table Isolation, or KPTI.
"The downside to this separation is that it is relatively expensive, time wise, to keep switching between two separate address spaces for every system call and for every interrupt from the hardware. These context switches do not happen instantly, and they force the processor to dump cached data and reload information from memory. This increases the kernel's overhead, and slows down the computer. Your Intel-powered machine will run slower as a result."
tl;dr you're going to get patched and will be trading up to 30% of your CPU performance in exchange for protection from a security flaw.
Not saying that's not the right choice, but I see rebellion and forks coming...you know, the "speed is critical, we won't upgrade past Linux 4.14..." crowd, or the "we're building a mining rig, so we want to use Dark Chester's non-isolation patches" tutorial people.
@WSS I think this is the equivalent of the introduction of the catalytic convertor. Shade tree coders?
Comments
https://www.lowendtalk.com/discussion/134371/intel-hardware-bug? Your post is way longer though.
This is not good. Not when we spend hundreds of Euros for a damn CPU.
This will be murder on technologies like nfnetlink and similar that do frequent (packet per second like) switches between address space.
10nm proving too hard? Just slow down your existing CPUs and sell fixed editions.
@raindog308 Ironically, the cat does a lot of good on turbo cars, but they certainly don't help as much for the butt dyno as open headers.
This, however, is just a huge "5eyez finally released information now that they're done with those backdoors.." (if you ask @Maounique) grade of fuckage. It's like reimplementing EMS page switching.
Or, you know, use ASICs instead of gutter x86 hardware.
ouch... wonder if there's any work being done to make context switching faster ?
..because working around hardware bugs that can't be patched in CPU-level software is going to exponentially help if you NOP pad it enough? The fact that you bust caching for this is seriously going to limit hardware abilities based upon the few things they've built over the last decade. Shit hasn't been getting much faster - Mhz wise, but it sure has been getting more cores and cache. Now remove that from the equation.
It will bs interesting to see the performance impact and how clouds/vps providers will bear with it.
Well, fuck..
patch is probably optional. Nothing crucial here, next thread.
No, it's being merged into every public kernel. Maybe they'll add a boot time flag, no promises though.
Francisco
Get a kernel page!
What are the implications for this on HN's in a cloud scenario?
both pti=off and nopti are mainlined and referenced in Torvald's kernel-parameters.txt
Based on the http://pythonsweetness.tumblr.com/post/169166980422/the-mysterious-case-of-the-linux-page-table and
from phoronix benchmarks etc of before/after kernel fixes
I wonder whats going on with the 8700k's that there's that big of a drop?
Francisco
the i7 8700K system used Samsung 950 PRO NVMe SSD so could be related ?
xen this or that, kvm, etc - forget it, this animal is a fucking slayer in our field (networking). The problem is about syscalls, i.e. switching to/from ring 0 which fucks you the harder the more syscalls you make, that number typically being between fucking painfully and insanely high.
Secondly, consider the fact that it's not firmware/microcode repairable which translates to hardwired "smart" shortcuts right in the silicon.
The good news (if you like amd) is: For amd this may turn out to be just the perfect turbo because now - as well as for some more time (one doesn't change the innards of a complex design like intel cpus in a week or so. plus considerable parts of the production line will need to be adapted) - "just get an amd based system" is about the most sensible alternative.
I guess this one is far worse than the floating point fuckup many years ago.
@eva2000
Those phoronix benchmarks are utterly worthless for most of us as they are game focussed whereas server loads are largely i/o bound.
In fact, those tests are even worthless for normal desktop scenarios as gaming is among the least crippled scenarios (lots and lots of calculations, not a lot of i/o).
I like the fact that this patch currently forces ALL Intel based CPUs to use PTI.
Nerds!
/ downs more everclear
believe more benchmarks are to come but yeah...
Gaming is the only benchmark that matters.
Sincerely,
15,000 people on Reddit probably
Did anyone test with Crysis???
Did anyone test with Crysis???
Nothing can run Crysis, no point in testing it.
Cyrix can.
It's not loading under nglide for some reason.
CentaurHauls!
There goes my hope of running crysis on this sweet new quantum build
Can't you simply boot your system with nopti option? The attack surface for a router or similar application seems pretty small, making avoiding the performance loss worth it.
Edit: or if you're talking about VMs in general, the point is that Xen HVM guests might be unable to exploit the hardware vulnerabilities because of some feature of the hypervisor. In that case, the host can leave page table isolation disabled, right? Whether the guest remains vulnerable doesn't matter too much since the user can choose whether to boot with isolation or not.