Originally posted by Raka555
View Post
Announcement
Collapse
No announcement yet.
LLVM Lands Performance-Hitting Mitigation For Intel LVI Vulnerability
Collapse
X
-
-
Originally posted by mppix View Post
.. so a fully mitigated kernel would be slow also on AMD?
But these are compiler mitigations. They are separate from other mitigations that you can enable/disable in the kernel.
If you compile the kernel with a compiler which is doing full mitigation, then the resulting kernel will also be slower, regardless whether it is an AMD or Intel CPU and regardless which options you enabled in the kernel.
This mitigation is adding indirect thunk support that replaces each indirect call/jump with a direct call to a thunk that has a load fence (LFENCE) and then JMPQ.Last edited by Raka555; 03 April 2020, 02:44 PM.
Comment
-
Originally posted by Michael View Post
Right there is no per-CPU ID handling.
They compile everything for YOUR CPU when you install and performance of "generic" Distro's were good enough not to bother with the extra hassle.
I avoided Gentoo as it was too time consuming.
Is Gentoo the only major-ish one that works like this ? (I know about Sabotage linux as well, but that is a tiny, mostly experimental distro)Last edited by Raka555; 03 April 2020, 02:32 PM.
Comment
-
Originally posted by Raka555 View Post
Correct.
Comment
-
Originally posted by Raka555 View Post
All of a sudden Distro's like Gentoo is looking a lot more appealing.
They compile everything for YOUR CPU when you install.
I avoided Gentoo as it was too time consuming.
Is Gentoo the only major-ish one that works like this ? (I know about Sabotage linux as well, but that is a tiny, mostly experimental distro)
Comment
-
Originally posted by duby229 View Post
I'm not so certain about that. The way AMD's front-end hardware issues micro-ops is different and seems unaffected by these types of mitigations to me. At least in the case of Meltdown type vulnerabilities the mitigations have no affect on AMD hardware. Zen doesn't allow the type of overflows that meltdown exploits so preventing such overflows, which zen doesn't allow anyway, has no affect. It might waste a few cycles executing code that has no affect, but you're looking at a few cycles at worst.
But these are compiler mitigations. They are separate from other mitigations that you can enable/disable in the kernel.
If you compile the kernel with a compiler which is doing full mitigation, then the resulting kernel will also be slower, regardless whether it is an AMD or Intel CPU and regardless which options you enabled in the kernel.
Comment
-
Mind you, even Intel says that this leak is very difficult to abuse.
But you're free to have a mindset like "oh, security issue, i'll take any patch"... enjoy your slowdowns then.
Originally posted by stormcrow View Post
Welcome to Security Research in 2020. You can endlessly debate the ethics of hyping research findings, but that ship has sailed. No one is going to listen to you. The problem is many vendors will ignore security problems unless they're widely reported and hyped up. Bad press for damaging security incidents means lost revenue. Secondly, this is as much about building visibility and reputations as it is reporting solid research. Visibility and reputation brings in funding. People don't eat without funding. If you don't like that, well. no one is forcing you to follow along, but don't complain if you passed up $10k from a bug bounty by being the "responsible person".
And yeah, if i were to get the 10k for a bug bounty i'd probably do it too. But i would not make a movie trailer for it!
Comment
-
Originally posted by markg85 View Post
in this case with extremes of 90% performance loss. The average case seems more closely to 10-20%. That's not worth it for consumer and programmer aimed distributions. Or anything non server related. So distributions like Fedora, Arch, Ubuntu, Suse, Clear, .. should not apply this.
Mind you, even Intel says that this leak is very difficult to abuse.
- Likes 2
Comment
-
Originally posted by numacross View Post
Ready to downgrade your microcode? Ready to remove mitigation patches from compilers and to recompile everything with appropriate flags?
Ugh, yeah, I hope Arch Linux does not enable LVI mitigation in their packages... That'd force me to use Gentoo ,-,
Comment
Comment