On Jan 4, 2018 07:37, "Jeroen "Slim" van Gelderen" <askslim@gmail.com> wrote:On Wed, Jan 3, 2018 at 4:37 PM, Alex Elsayed <eternaleye@gmail.com> wrote:In addition, Intel has published a press release, claiming that thishttps://newsroom.intel.com/new
issue (counter to some claims elsewhere) does in fact affect other
vendors and architectures:
s/intel-responds-to-security-r esearch-findings/ Contrary to the PR, Intel CPUs do indeed have a design flaw aka bug which makes them vulnerable to Meltdown. Meltdown has not been reproduced on ARM or AMD and AMD thinks Meltdown is not applicable to their chips due to architectural differences.The Spectre attack is the attack that is applicable across the board.As far as Linux is concerned only Intel machines will be hit with the KPI-related slowdown (5%-30%) since KPI will be disabled on AMD CPUs. (And I assume this goes for Windows too.) This looks bad for Intel, hence the FUD.It's a bit more nuanced than that. First of all, section 6.4 of the Meltdown paper is quite clear: non-Intel CPUs _do_ still perform the problematic access; it's the particular covert channel they use to extract the information from it that does not port over. Many expect this to change; the authors themselves see that whether AMD or ARM are affected is _unknown-_, not that they are unaffected.Second, the patch from AMD to disable KPTI has not been accepted AFAIK, and AArch64 is adding KPTI.Third, Meltdown is a _less severe_ attack by far compared to Spectre. Meltdown can be addressed by KPTI, but some forms of Spectre use little besides the BTB, which is known[1] to be infeasible to flush in software.Fourth, Intel (and I) posted that link _prior_ to the release of the papers, at a time when all that was known to the public was "very serious vulnerability in speculative execution" - its claims should be read in that context.