Retbleed or replace your old Intel and AMD CPUs

[birdie]

Weird no one on TPU has mentioned:

A new vulnerability in Intel and AMD CPUs lets hackers steal encryption keys

Hertzbleed attack targets power-conservation feature found on virtually all modern CPUs.

arstechnica.com

Retbleed: Arbitrary Speculative Code Execution with Return Instructions – Computer Security Group

comsec.ethz.ch

From the paper:

Affected machines​

We have verified that Retbleed works on AMD Zen 1, Zen 1+, Zen 2 and Intel Core generation 6–8.

Mitigations​

Kernel and hypervisor developers have developed mitigations in coordination with Intel and AMD. Mitigating Retbleed in the Linux kernel required a substantial effort, involving changes to 68 files, 1783 new lines and 387 removed lines. Our performance evaluation shows that mitigating Retbleed has unfortunately turned out to be expensive: we have measured between 14% and 39% overhead with the AMD and Intel patches respectively. Please refer to the paper if you want to know more. Mitigating Phantom JMPs with a generic flushing of the branch predictor unit on kernel transitions imposes up to 209% performance overhead.

This could even be worse than meltdown.

 

[R-T-B]

This could even be worse than meltdown.

Hardly. It requires both knowledge of the machine hardware and the ability to run queries on the machine, limiting this to mostly a server concern.

It's also being patched in software, not firmware:

Neither Intel nor AMD are issuing microcode updates to change the behavior of the chips. Instead, they're endorsing changes Microsoft and Cloudflare made respectively to their PQCrypto-SIDH and CIRCL cryptographic code libraries. The researchers estimated that the mitigation adds a decapsulation performance overhead of 5 percent for CIRCL and 11 percent for PQCrypto-SIDH. The mitigations were proposed by a different team of researchers who independently discovered the same weakness.

 

[R-T-B]

Does it matter where it gets patched?

Yea, because one is going to affect end consumer type users and the other won't.

tl;dr, there will be no performance impact unless you are explicitly using updated versions of those server products.

Looks like everyone here is on ADL/Zen 3 already.

Nothing I read indicates ADL or Zen 3 is likely to be better off, just that they did not test those platforms.

 

[TheoneandonlyMrK]

You must be f*ing joking. 99.999% of people will upgrade automatically.

ADL and Zen 3 are not affected, period. It would have taken you 2 minutes to figure it out. Do you always post without thinking or researching? Why???

https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037

INTEL-SA-00702

INTEL-SA-00702

www.intel.com

https://www.intel.com/content/www/u...-affected-consolidated-product-cpu-model.html -> 2022 -> Return Stack Buffer Underflow (RSBU) RSB Alternate Behavior (RSBA) CVE-2022-29901 INTEL-SA-00702

I already want to delete this thread.

You tested your performance loss yet.
Chill no need for grrrrrr , other side of the bed tomoz I recommend.

 

[ExcuseMeWtf]

If it's not remotely exploitable, it's not a major issue for vast majority of users.
It is for HPC applications that still use said processors for some reason. But I'd figure they'd be on upgrade path anyways.

 

[ExcuseMeWtf]

UP TO could mean 0.01% too, you know
And even if it actually means -39% - in what application exactly?

 

[Frick]

Never mind and f*t it. The TPU crowd seems not to care one bit, OK. Fine. Looks like everyone here is on ADL/Zen 3 already.

Probably because of this:

"For now, there's nothing end-users can do, and even if there was, it's not clear at this point that Hertzbleed represents a clear and present threat."

and:

"If you have secrets on virtual machines with shared hardware (e.g., in the cloud), you should be aware of the issue. But it’s not good for your health to worry too much."

Also:

"Note that we have only tested AMD CPU family 0x17 (AMD Zen 1, Zen 1+ and Zen 2)."

So it might work on all Zens.

Lost up to 39% performance is not an issue? Like really??

I've reported the thread, hopefully is going to be deleted. I expected people to maybe ask silly questions, not make dubious (to put it mildly) claims.

Relax man. There will be more articles on it, especially if indeed every single AMD CPU will loose a third of their performance. Right now there's not a lot to do about it other than wait and see how the patches will be doled out.

 

[R-T-B]

You must be f*ing joking. 99.999% of people will upgrade automatically.

You really need to try reading the article. Consumers don't even use these products.

I'm a security researcher by trade, btw.

 

[Frick]

Ahh missed the Ars article on Retbleed. Zen 3 is not affected. However Intel wrote:

"“Note that Windows systems are not affected given that these systems use Indirect Branch Restricted Speculation (IBRS) by default which is also the mitigation being made available to Linux users. Intel is not aware of this issue being exploited outside of a controlled lab environment.”"

 

[R-T-B]

So it might work on all Zens.

Which is exactly what I said. I'm sorry if that was not up to whatever birdie was looking for here.

Ahh missed the Ars article on Retbleed.

Care to clarify? I may have done the same. I only saw it was not explicitly tested.

Note that Windows systems are not affected given that these systems use Indirect Branch Restricted Speculation (IBRS) by default which is also the mitigation being made available to Linux users. Intel is not aware of this issue being exploited outside of a controlled lab environment.”"

Yeah it's basically a consumer nonissue.

 

[Frick]

Care to clarify? I may have done the same. I only saw it was not explicitly tested.

New working speculative execution attack sends Intel and AMD scrambling

Both companies are rolling out mitigations, but they add overhead of 12 to 28 percent.

arstechnica.com

https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037

 

[R-T-B]

Appreciated. It's late and my dog is literally about to be put down, so easy to miss small details.

 

[TheoneandonlyMrK]

Appreciated. It's late and my dog is literally about to be put down, so easy to miss small details.

Sorry about your friend.


So no test of birdie system to demo performance loss, nice.

 

[P4-630]

Weird no one on TPU has mentioned:

https://www.techpowerup.com/forums/threads/general-nonsense.232862/post-4793412

I'm all good this time around with my i7 12700K.

 

[freeagent]

What if you run a static clock, would that help?

 

[95Viper]

Stay on Topic.

 

[Shrek]

I was talking about the performance impact. You may disable the mitigations all you want however most people will not and they don't even know about these vulnerabilities which means this month's Windows 10/11 update has already slowed down your CPU without most people knowing.

Doesn't that imply it is not noticable?