Announcement

Collapse
No announcement yet.

AMD Details "SQUIP" Side Channel Vulnerability For Zen's Execution Unit Scheduler

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    disabling SMT is best practice anyway for paranoid security (which is of course, the best security)
    and as phoronix shows -- in some cases SMT being disabled can yield higher performance (but only in edge cases such as when cache is saturated per-core)

    Originally posted by Volta View Post

    Nice try fanboy. It matters how many and how impactful vulnerabilities there were. AMD wins so far.
    "intel inside"

    has always meant what it says: intel inside.
    (as in SIGINT inside)

    Originally posted by archkde View Post
    This is yet another reminder to use mitigations=auto,nosmt if you run any untrusted code.
    i like how we can also disable SMT on a live running system

    Code:
    echo off > /sys/devices/system/cpu/smt/control
    Last edited by adoptedPenguin; 09 August 2022, 04:20 PM.

    Comment


    • #12
      Originally posted by schmidtbag View Post
      Yeah except this requires an oddly specific circumstance to exploit and can be fixed using proper software development. It isn't clear to me whether physical access is needed or not for SQUIP, which so far has been the case for most of AMD's exploits. If physical access isn't required then this vulnerability is a bit more serious, but considering AMD has no intention on patching it, I assume the exploit must not be threatening enough.
      Reading the start of the pdf -

      "We evaluate the performance of
      the SQUIP attack in a covert channel, exfiltrating 0.89 Mbit/s
      from a co-located virtual machine at an error rate below 0.8 %,
      and 2.70 Mbit/s from a co-located process at an error rate
      below 0.8 %. We then demonstrate the side channel on an
      mbedTLS RSA signature process in a co-located process and
      in a co-located virtual machine. Our attack recovers full RSA-
      4096 keys with only 50 500 traces and less than 5 to 18 bit
      errors on average."

      So, it only works on the same physical machine.

      For an RSA key, I would have thought that a single bit error would be enough to give a non-working result ?

      Comment


      • #13
        Originally posted by Linuxxx View Post
        skeevy420

        My man, good to see you are back!

        Was getting worried since you had been MIA for some time now.

        I take it Stray has led you astray?
        I did a week of house and pet sitting at a house with no internet.

        Since I haven't used a cable or satellite service for 12 years, all I can tell you is that DirecTV was just awful. These days even the programming schedule menu adds randomized banner ads where channels and shows should be. It was like using an Ad Supported Free Launcher on Android. WTF, man!?!? Paying monthly for what feels like an adware program.

        Fortunately I had my PC with lots of my favorite games and shows readily available.

        Comment


        • #14
          Originally posted by Volta View Post

          Nice try fanboy. It matters how many and how impactful vulnerabilities there were. AMD wins so far.
          AMD isn’t impacted by performance regressions since they can’t mitigate their vulnerabilities. Everyone made a big deal when Meltdown affected Intel chips then a few years later all of AMD’s CPUs were affected by a similar vulnerability called Transient Execution of Non-canonical Accesses vulnerability.

          I expect nothing less from a company that took a year to fix their RX 5000 Windows driver issues while not acknowledging their customers. At least Intel/Nvidia acknowledge/address their issues in a timely manner. Take Intel’s horrible Arc drivers, first week they acknowledged their issue. Explained they tried to take a shortcut by using their iGPU drivers and are now making new drivers for their desktop cards.

          Their response to that vulnerability:

          “AMD recommends that all software vendors that ship code for its platforms revisit their programs and add mitigations.“

          https://www.amd.com/en/corporate/pro...in/amd-sb-1010

          Ignoring their issues is the reason why I don’t purchase their products.
          Last edited by WannaBeOCer; 09 August 2022, 05:00 PM.

          Comment


          • #15
            Why is SMT even a thing still? The idea of taking a physical core and splitting it into two via software sounds like it would be full of unknowns, including vulnerabilities. I can understand 4-core CPUs potentially benefiting, but what are 6+ core consumer CPUs doing with it on by-default?

            With a 2700X, I've seen file compression benefiting with SMT, but games are about the same with it on or off, and VR FPS (on Windows) seems more consistent with SMT off. With Geekbench, there's higher single-threaded benefits with SMT off, compared to a minor multi-threaded increase with SMT on.

            Comment


            • #16
              Originally posted by Volta View Post

              Nice try fanboy. It matters how many and how impactful vulnerabilities there were. AMD wins so far.
              I have an Intel i7-4600u laptop, Ryzen 3700x desktop and M1-Pro MacBook at the moment.
              I have no loyalty to any of them. I jump ship to best value (or performance) for money when it presents itself.
              Things like open source drivers also plays a role in deciding.

              I feel free to praise/criticize any of the hardware without being a "fanboy" of any brand.
              Last edited by Raka555; 09 August 2022, 05:33 PM.

              Comment


              • #17
                Originally posted by Volta View Post

                Nice try fanboy. It matters how many and how impactful vulnerabilities there were. AMD wins so far.
                the most terrifing part is that there is so many AMD fanboys that upvoted you

                Comment


                • #18
                  Originally posted by Espionage724 View Post
                  Why is SMT even a thing still? The idea of taking a physical core and splitting it into two via software sounds like it would be full of unknowns, including vulnerabilities. I can understand 4-core CPUs potentially benefiting, but what are 6+ core consumer CPUs doing with it on by-default?

                  With a 2700X, I've seen file compression benefiting with SMT, but games are about the same with it on or off, and VR FPS (on Windows) seems more consistent with SMT off. With Geekbench, there's higher single-threaded benefits with SMT off, compared to a minor multi-threaded increase with SMT on.
                  It's an interesting question, to which I would like an answer too.
                  Didn't AMD suggest a year or more ago that their SMT was going to be not 2x but 3x or 4x per physical core?

                  Comment


                  • #19
                    Originally posted by geearf View Post

                    It's an interesting question, to which I would like an answer too.
                    Didn't AMD suggest a year or more ago that their SMT was going to be not 2x but 3x or 4x per physical core?
                    Because from certain point of view it does make sense, you have certain units that are existing in numbers bigger then 1 like FPU, integer operations units etc. They exist primarly to execute at the same time several operations at once if possible, but if this is not possible (or simply currently you use diffrent types of operations) .... well then those units are idle. But if you have 2 logical cores wired up to same units you could theoretically increase utilization so from same sand you can produce higher performance. if you had 4 logical cores, utilization would be even higher.

                    Issue with SMT/HT is exactly abusing of that timing issues, cache, and fact you are generally not improving power efficiency.

                    Comment


                    • #20
                      Originally posted by geearf View Post

                      It's an interesting question, to which I would like an answer too.
                      Didn't AMD suggest a year or more ago that their SMT was going to be not 2x but 3x or 4x per physical core?
                      Fun fact, IBM has been offering SMT8 on their POWER CPUs for a while now.

                      I'm not sure what workload favors it though. It seems like hyper specialized applications like their Db2 database can make use of it. I guess that's the main benefit of having a company making the hardware and software.

                      Comment

                      Working...
                      X