Announcement

**Tuxee** · 03 April 2021, 05:49 AM

Originally posted by torsionbar28 View Post

Speculative Store Bypass aka Spectre variant 4 is considered such a low risk that no Linux distro mitigates Spectre v4 by default, for either AMD or Intel. You can mitigate it if you like, but it isn't the default. Even on enterprise distros like RHEL and SLES, the mitigation code is present, but is not enabled by default. Don't take my word for it, check your own machine (cat /sys/devices/system/cpu/vulnerabilities/spec_store_bypass). It will most likely say "Vulnerable", instead of "Mitigation".

Code:

$ cat /sys/devices/system/cpu/vulnerabilities/spec_store_bypass
Mitigation: Speculative Store Bypass disabled via prctl and seccomp

A bog standard Ubuntu 20.04...

Edit: Read the answer ofyou above. Understood.

**Brisse** · 03 April 2021, 05:56 AM

Originally posted by torsionbar28 View Post

Accusations of wrong-doing, with zero evidence of it actually occurring? That is some straight CNN fake news right there.

CNN is more reliable than wherever you get your news from, I can tell you that much.

**Nth_man** · 03 April 2021, 06:29 AM

If we have to start enumerating "news" channels that are not reliable...

**Adarion** · 03 April 2021, 06:30 AM

God blees good old in-order-processing.

(Well, if you can bear with the "speed" of these machines. But therefore they're quite safe.)

Well, it's okay that AMD announced the news by themselves before others did (as far as it seems). That's a good step. They also seem to have patches ready for upstream. Good, too. However, they estiamate the risk being low. Okay. So everyone can check for him- her- or itself, or whatever you want to be these days, if you want to disable or not. Fine for me.

By the way, my gentoo machines have it already disabled on request by programs (see torisonbar28's explanations).

Code:

 grep . /sys/devices/system/cpu/vulnerabilities/*

shows

Code:

Mitigation: Speculative Store Bypass disabled via prctl and seccomp

Iirc. I switched this on in the kernels of my machines long ago, shortly after the meltdown horror-news came to the broad public. The only one somehow still showing one vulnerability is my E-350, and I wonder what it missing there. Everything else is not affected (AMD/VIA/in-order-intel-Atom/Geode mostly here) or mitigated (completely or on request). I also don't notice much of any speed drop (Benchmarks only maybe, and Michael's data shows that the drop for AMD was marginal).

These days we waste much more processing power by shoddy programming that involves JavaScript, frameworks, abstraction layers over layers over layers, wrappers, emulations, library obesity and all that kind of stuff that really slows you down.

**Jumbotron** · 03 April 2021, 08:23 AM

Originally posted by torsionbar28 View Post

Actually, no, the sky is not falling Chicken Little. Chips you buy at retail today were designed years ago. The Zen CPU architecture was finalized in 2016. That's two years before the first Spectre vulnerability was made public. All these Agile software developers who are used to designing, building, and promoting to prod all within a few weeks time, have no grasp on the timelines involved for creating a CPU. Hint: There are exactly zero x86-64 CPU's on the market today, from any vendor, that have Spectre mitigations in hardware. Nope, not even the newest 11th gen "Rocket Lake" Intel chips that were just released *this week*.

Speculative Store Bypass aka Spectre variant 4 is considered such a low risk that no Linux distro mitigates Spectre v4 by default, for either AMD or Intel. You can mitigate it if you like, but it isn't the default. Even on enterprise distros like RHEL and SLES, the mitigation code is present, but is not enabled by default. Don't take my word for it, check your own machine (cat /sys/devices/system/cpu/vulnerabilities/spec_store_bypass). It will most likely say "Vulnerable", instead of "Mitigation".

What part of this did you not understand ?

" AMD published a security whitepaper this week looking at their Predictive Store Forwarding (PSF) feature that is new to Zen 3 series processors. "

AMD HAD PLENTY OF TIME TO LEAVE THIS PART OUT OR RE-ENGINEER.

**Weasel** · 03 April 2021, 08:40 AM

Originally posted by Jumbotron View Post

What part of this did you not understand ?

" AMD published a security whitepaper this week looking at their Predictive Store Forwarding (PSF) feature that is new to Zen 3 series processors. "

AMD HAD PLENTY OF TIME TO LEAVE THIS PART OUT OR RE-ENGINEER.

Leave a part out so my CPU is slower to please ARM clowns? You would love that wouldn't you, to make x86 slower so ARM can finally compete after 100 other mitigations.

How about take the hike. I buy a new CPU for performance.

**ThoreauHD** · 03 April 2021, 09:03 AM

This is the thing from 2018 that no cpu vendor really cared about, as I recall. You have to run code locally, in a sandbox environment, in a web browser, or some shit. Guess it's a legacy design flaw.

Upside is maybe the next gen tock cpus will still fit in my AM4 socket? Gotta fix the bug? Please? ..One can hope. I wanna get one of those 3D stacked chip cpus before I have to trash my AM4 system.

**cb88** · 03 April 2021, 12:35 PM

Originally posted by Jumbotron View Post

Wait....are you actually saying that AMD engineered a speculative code part in Zen 3 KNOWING there is a LONGSTANDING speculative attack on something similar with a LOT of Intel CPUs and STILL released it whithiut adequate testing ?? And the ONLY mitigation is the SAME OL' standby Intel gave..."Well...you can always turn it off".

SMH...

No... they designed in a mitigation, aka you turn it off for applications running untrusted code like browsers and anything that talks to the internet. All other applications flat out don't need the mitigation. Games running locally wouldn't need it, games that have networked multiplayer probably should enable it... unless you trust the game servers that much.

**elatllat** · 03 April 2021, 01:31 PM

I'd be happy to pay more for a slower CPU that is not flawed but this is the closest I could find;

HTML Code:

C4> cd /sys/devices/system/cpu/vulnerabilities/ && grep . *
itlb_multihit:Not affected
l1tf:Not affected
mds:Not affected
meltdown:Not affected
spec_store_bypass:Not affected
spectre_v1:Mitigation: __user pointer sanitization
spectre_v2:Not affected
srbds:Not affected
tsx_async_abort:Not affected

**angrypie** · 03 April 2021, 01:56 PM

Well, at least they admitted it could be vulnerable instead of being in denial about it, along with providing a way to disable the offending feature.

Announcement

AMD Publishes Security Analysis Of Zen 3 "PSF" That Could Possibly Lead To A Side-Channel Attack

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment