Agree with all of that, although as I mentioned earlier AMD's utter failure in screening their motherboard chipset vendor also gives me pause. Hard to tell if that's a one-off mistake, or a sign that they don't really care that much about security.
--------- Brian On Fri, Jul 6, 2018 at 9:01 PM, Greg Sevart <ad...@xfury.net> wrote: > Thus far, AMD's story has been more compelling than Intel's. AMD is immune > to meltdown, and is broadly speaking less vulnerable to the Sceptre > variants. However, it would be naïve to believe that AMD is in the clear, > as additional vulnerabilities are slowly coming out in this new and novel > class of attack vector. > > My thinking is that while both Linux and Windows are currently only doing > the PTI/KernelVA shadowing for Intel, it will eventually be mandatory for > all architectures--for defense in depth if nothing else. > > -----Original Message----- > From: Hardware [mailto:hardware-boun...@lists.hardwaregroup.com] On > Behalf Of Brian Weeden > Sent: Friday, July 6, 2018 3:42 PM > To: hardware <hardw...@lists.hardwaregroup.com> > Subject: Re: [H] Should I rebuild my machine now or wait until the next > gen of CPUs? > > Winter, that is exactly the situation I'm in and the question I'm asking. > I have not applied any patches to my system because a) they're only > partially effective and b) they have a performance hit. > > So I'm trying to see if it makes sense to upgrade to a new machine now, or > whether I should stick it out for another several months (year?) to see if > Intel or AMD rolls out something that actually fixes the underlying > problems. > > > > --------- > Brian > > > On Fri, Jul 6, 2018 at 4:38 PM, Winterlight <winterli...@winterlight.org> > wrote: > > > This has been an interesting thread. So Greg the Ivy Bridge patch that > > you posted will be delivered by Windows 10 ...eventually... maybe? I > > am still running a P9X79 WS with my six core Ivy Bridge with Win10. > > InSpectre tells me Spectre is not protected and performance is slower. > > Just how much at risk am I. I figure I will never see a BIOS update.. > > ... or will I. The whole thing is a big mess, and I would imagine > > there are all sorts of class action law suites heading toward CPU and > motherboard manufactures. > > > > > > > > At 10:08 AM 7/6/2018, you wrote: > > > >> The chipset vulnerabilities were ugly, yes, but for their part AMD > >> did ensure they were resolved quickly despite the research firm not > >> following industry best-practices regarding vulnerability disclosure. > >> My bigger beef is that AMD would use ASSmedia (not a typo) at all, > >> given their fairly well-established track record of being roughly > equivalent to dog excrement. > >> I don't subscribe to the AMD Fanboy narrative that it was an Intel > >> hit-job, though. > >> > >> Intel's roadmap is a real mess right now. A sudden and surprisingly > >> competitive AMD portfolio coupled with severe yield and performance > >> issues with their ambitious 10nm process technology has painted them > >> into a corner with no good near-term options. So, they're going to > >> push their 14nm++ tech for another iteration, adding cores, to (try > >> to) re-establish clear superiority . Luckily for them, their 14++ is > actually really good. > >> > >> Greg > >> > >> -----Original Message----- > >> From: Hardware [mailto:hardware-boun...@lists.hardwaregroup.com] On > >> Behalf Of Brian Weeden > >> Sent: Friday, July 6, 2018 9:03 AM > >> To: hardware <hardw...@lists.hardwaregroup.com> > >> Subject: Re: [H] Should I rebuild my machine now or wait until the > >> next gen of CPUs? > >> > >> Thanks, Greg. That pretty much aligns with my thought process on > >> this, so I guess it's good at least one other person is coming to the > >> same conclusions I am :) > >> > >> Didn't know about the Ivy Bridge patches - will look into that more. > >> But one of the reasons I haven't patched at all is that all the > >> mitigations for older chips like mine have had significant > >> performance penalties. And at this point that's a bigger issue for me > >> than the security, as I'm not really in that big of a threat > environment. > >> > >> But I plan to use whatever I buy for the next several years and it > >> would be good to get something that's not going to have major > >> structural vulnerabilities that will be problems that entire time. > >> > >> My major hangup with AMD is not the performance but rather the > >> massive vulnerabilities found in their Ryzen chipset, all because > >> they did a very poor job providing oversight of the company they > >> outsourced it to. That doesn't speak well of their commitment to > security in my mind. > >> > >> I had heard that Intel's 2018 lineup was delayed until next year as > >> they try and fix all this stuff, but maybe that was just for their > mobile chips? > >> > >> > >> > >> > >> --------- > >> Brian > >> > >> > >> On Fri, Jul 6, 2018 at 2:20 AM, Greg Sevart <ad...@xfury.net> wrote: > >> > >> > Actually, your Ivy Bridge CPU had new microcode revision with > >> > additional Spectre defenses released just this past Monday. While > >> > it's a long-shot for your motherboard manufacturer to release a new > >> > FW update, it *is* likely to appear in an OS patch. CPU microcode > >> > can and is loaded via multiple mechanisms, including during OS > >> > early boot. On Windows, your options are a bit more limited as you > >> > must wait for Microsoft to update their microcode patch. > >> > > >> > Microsoft's microcode patch information, which is ONLY available > >> > for Windows 10 1709 (or later?) can be found here: > >> > https://support.microsoft.com/en-us/help/4090007/intel-microcode-up > >> > dat > >> > es > >> > > >> > It's something of a mess. As you may see, Ivy Bridge desktop CPUs > >> > are not listed explicitly, but I've heard reports of the patch > >> > taking effect on them anyway. Use a tool such as InSpectre or > >> > Get-SpeculationControlSettings in the PowerShell Gallery to verify > >> > your > >> status post-update. > >> > > >> > > >> > With regard to an upgrade...hard to say. On the desktop side, with > >> > Ryzen, AMD has finally released a product that is competitive. > >> > Broadly speaking (i.e., on overall average), it is not clearly > >> > superior despite higher core counts, but very competitive and hence > >> > a viable option to Intel's Coffee Lake SKUs. If you're interested > >> > in HEDT, that's a bit harder to answer...for highly threaded > >> > workloads, the > >> > Threadripper/X399 platform wins on both performance and price > >> > (despite the dumb name and attempt to usurp Intel's existing > >> > platform naming scheme), but if single-threaded performance is more > >> > important, > >> Skylake-X/X299 is still the better bet. > >> > > >> > CPUs with integrated defenses to the various Spectre variants are > >> > expected near the end of the year. As it stands now, performance > >> > wise, Intel's silicon is more negatively impacted via existing > >> > mitigations, but not enough to make a meaningful difference in > >> > *most* client workloads for current silicon. Older CPUs (such as > >> > your Ivy) that do not support INVPCID are especially hurt by > Meltdown's mitigation. > >> > Fundamentally, I don't think either one is substantially more > >> > secure if > >> your mitigations are current. > >> > While we've already seen some since the initial 3 CVEs were > >> > announced, it's widely expected that more vulnerabilities will be > >> > discovered in the coming months and years as this new and novel > >> > class of attack > >> vector is researched. > >> > > >> > Major items rumored to be coming soon-ish: > >> > Intel desktop: Widely expected to have a new 8-core mainstream chip > >> > out sometime later this year. > >> > Intel HEDT: Cascade Lake-X expected in Q4, up to 28C, though the > >> > series may span sockets. Maybe a 22C interim offering? > >> > AMD Desktop: Zen+ 2000-series just released offering minor > >> > improvements, Zen 2 expected next year AMD HEDT: Zen+ refresh of > >> > Threadripper expected soon, up to 32C. > >> > > >> > > >> > My personal take: I'd buy Intel for intensive, lightly-threaded > >> > workloads, and AMD for intensive, heavily-threaded workloads. > >> > Anything not intensive isn't going to be different enough to > >> > matter, so go with whatever floats your boat and/or wallet. > >> > > >> > Greg > >> > > >> > -----Original Message----- > >> > From: Hardware [mailto:hardware-boun...@lists.hardwaregroup.com] On > >> > Behalf Of Brian Weeden > >> > Sent: Thursday, July 5, 2018 9:45 PM > >> > To: hwg <hardware@hardwaregroup.com> > >> > Subject: [H] Should I rebuild my machine now or wait until the next > >> > gen of CPUs? > >> > > >> > Currently running a core i5-3750K with 32GB of RAM on my main > >> > machine, which I use for both work and gaming. > >> > > >> > Been looking to replace it for several months now, but have held > >> > off in part because of all the vulnerabilities that keep turning up > >> > in modern CPUs (Meltdown, Spectre, and all their variants). The > >> > thing is, my existing CPU is old enough that it doesn't support any > >> > of the mitigations, so I'm actually less secure now than if I > >> > bought a new CPU that at least had mitigations against the vulns > >> > (even if the new CPUs that actually fix them are 6-12 months away). > >> > > >> > So first question is, is the time right to go do this now? > >> > > >> > Second question is, Intel or AMD? Is one better off than the other > >> > from a security standpoint that's worth taking into consideration? > >> > > >> > > >> > --------- > >> > Brian > >> > > >> > > >> > > >> > > > > > > >