Oh no.
If you get caught we’ve never met.
Good supplier for an offline supercluster 😄 I’ll let my grant manager know.
I’m curious if there’s a silver lining of all current DRM keys being accessible through this.
Bwahaha I’m safe with my i5 3450, gotta look at the brighter side of my dumpster fire of a pc
What does that even mean for me (has Debian running on a 2015 MacBook with Intel processor).
Will I get such a driver patch somehow?
deleted by creator
It’s the AVX-2/AVX-512 instructions that have issues. In most cases unless you’re running a server CPU (or extremely recent consumer CPU) you’ll be fine.
Scary for HPC/AI? Yes. For most people? Not really.
AVX-2 has been in pretty much every CPU since 2011. For AVX512 intel’s been shipping that to consumers since Ice Lake 2019.
I just checked my package updates on my Debian server and there is a new update for the Intel-Microcodes available already.
Every article is a copy paste of the same bullshit talking about the vulnerability and pointing to the stupid cryptic list of processors that requires you to jump through hoops to read it. You can’t just search for your processor in a database I mean fuck that would take them at least an a couple hours of their precious time to set up and they have only had a year. How do you fix it? Why with a microcode update of course!!..from where you ask? Well don’t worry just look at the cryptic list it will tell you if you need a microcode update!!
Fuck every article about this shit. Anyone wanna bust an Eli5 on how to fix this problem for people? (I was assuming it’s a BIOS update but the articles have only confused me further)
I just found this on the page where they list effected models:
“Note The latest software can be obtained through operating system or VMM vendors”
It’ll probably just be something that happens through ordinary OS updates tbh (though I understand you’d rather know one way or another.)
Are you using Windows or macOS? If so you don’t have to do anything. You can just wait and a new update will be available to you soon.
And, just FYI, the fix is already out for Linux.
You can’t just search for your processor in a database I mean fuck that would take them at least an a couple hours of their precious time to set up and they have only had a year. How do you fix it?
This page tells you how to get your CPUID: https://www.intel.com/content/www/us/en/support/articles/000006831/processors/processor-utilities-and-programs.html
Then search for the CPUID here: https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html
I figured out how to do it fairly quickly but it would be a hell of a lot easier if people could just type in “11700K” in a box on a web page or something and it could just tell them. Or they could have added a little bit of code to their CPU ID utility that says “yupp your processor is effected by the flaw”. I am mostly annoyed at all this not for me but for all the people who would read those pages and the contents would seem like an insane foreign language to them all while articles are telling them it’s a major security flaw that would allow people to steal their encryption keys.
. Or they could have added a little bit of code to their CPU ID utility that says “yupp your processor is effected by the flaw”.
That is a fair point.
ELI5, or ELIAFYCSS (Explain like I’m a first year CS student): modern x86 CPUs have lots of optimized instructions for specific functionality. One of these is “vector instructions”, where the instruction is optimized for running the same function (e.g. matrix multiply add) on lots of data (e.g. 32 rows or 512 rows). These instructions were slowly added over time, so there are multiple “sets” of vector instructions like MMX, AVX, AVX-2, AVX-512, AMX…
While the names all sound different, the way how all these vector instructions work is similar: they store internal state in hidden registers that the programmer cannot access. So to the user (application programmer or compiler designer) it looks like a simple function that does what you need without having to micromanage registers. Neat, right?
Well, problem is somewhere along the lines someone found a bug: when using instructions from the AVX-2/AVX-512 sets, if you combine it with an incorrect ordering of branch instructions (aka JX, basically the if/else of assembly) you get to see what’s inside these hidden registers, including from different programs. Oops. So Charlie’s “Up, Up, Down, Down, Left, Right, Left, Right, B, B, A, A” using AVX/JX allows him to see what Alice’s “encrypt this zip file with this password” program is doing. Uh oh.
So, that sounds bad. But lets take a step back: how bad would this affect existing consumer devices (e.g. Non-Xeon, non-Epyc CPUs)?
Well good news: AVX-512 is not available on most Intel/AMD consumer CPUs until recently (13th gen/zen 4, and zen 4 isn’t affected). So 1) your CPU most likely doesn’t support it and 2) even if your CPU supports it most pre-compiled programs won’t use it because the program would crash on everyone else’s computer that doesn’t have AVX-512. AVX-512 is a non-issue unless you’re running Finite Element Analysis programs (LS-DYNA) for fun.
AVX-2 has a similar problem: while released in 2013, some low end CPUs (e.g. Intel Atom) didn’t have them for a long time (this year I think?). So most compiled programs wouldn’t compile with AVX-2 enabled. This means whatever game you are running now, you probably won’t see a performance drop after patching since your computer/program was never using the optimized vector instructions in the first place.
So, the affect on consumer devices is minimal. But what do you need to do to ensure that your PC is secure?
Three different ideas off the top of my head:
-
BIOS update. The CPU has a some low level firmware code called microcode which is included in the BIOS. The new patched version adds additional checks to ensure no data is leaked.
-
Update the microcode package in Linux. The microcode can also be loaded from the OS. If you have an up-to-date version of Intel-microcode here this would achieve the same as (1)
-
Re-compile everything without AVX-2/AVX-512. If you’re running something like Gentoo, you can simply tell GCC to not use AVX-2/AVX-512 regardless of whether your CPU supports it. As mentioned earlier the performance loss is probably going to be fine unless you’re doing some serious math (FEA/AI/etc) on your machine.
-
List of processors without redirect referrer: https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html
deleted by creator
I’m pretty sure the 8008 is fine.
deleted by creator
Isn’t the i7-7700k a kaby lake processor?
deleted by creator
I’m dumber, can you tell me how to find the numbers after the dash? Mine is an i5, that’s all I know.
Edit: On linux. Sorry, should’ve specified, I’m so used to everyone on lemmy running linux lol.
'Nother edit: i5-5200U, “Broadwell-U” version. So looks like I’m good (and this pc is 5yr newer than I thought lol.)
Probably search files/run in the start menu, then type dxdiag
That’s what it normally is on Windows, I can’t remember the Linux command
On linux, but thanks anyway!
inxiIn the terminal should do it
Thank you!
cat /proc/cpuinfo It’s verbose, but it should also list the known processor vulnerabilities that are already worked around by the kernel
Thank you!
Check out the processor in Task Manager’s Performance tab
Linux! But thanks!
Well I had expected someone running linux to know that lol
Well you expect wrong! Lol tbh it isn’t often I need to know the specific model of processor I have, typically “sticker says i5” works just fine, but this time not so much lol.
I don’t know how much you care about this, but even within each product class (i5, i7, etc) there can be a huge performance delta between specific models, especially in laptop chips. The same applies to AMD.
This vulnerability, identified as CVE-2022-40982, enables a user to access and steal data from other users who share the same computer.
So just continue not letting people use my computer, got it. Very simple fix.
Shared use of servers is probably the main issue
It appears that users in this case include agents such as software. A bit confusing for the general public.
For instance, a malicious app obtained from an app store could use the Downfall attack to steal sensitive information like passwords, encryption keys, and private data such as banking details, personal emails, and messages.
It can theoretically even be exploited via a browser:
[Q] What about web browsers?
[A] In theory, remotely exploiting this vulnerability from the web browser is possible. In practice, demonstrating successful attacks via web browsers requires additional research and engineering efforts.
I think it also means software running can access other software’s memory which is probably bad but personally I’m not keen for that performance hit on my desktop
Anyway.Run AMD.AMD isn’t perfect either…
…All Ryzen and Epyc processors were found to have a very similar bug not too long ago, it’s actually addressed in the article. You might want to read it…
Here is a good write-up of Zenbleed for the Ryzen 2 and up vulnerability. It uses similar register optimisation and speculative execution to get the same effect.
My old-ass Ivy Bridge: Oh no! Anyway…
Good thing my CPU is ancient.
> Downfall
Is the Intel CEO holed up in a bunker and raging at his chip designers?
If it’s anything like the industry that I work in, the CEO would have been informed of the short comings of the design numerous times and given a response along the lines of “does it make our CPUs faster and more powerful though?”.
The CEO won’t be pissed of at his chip designer, they’ll be pissed because they’ve been caught out.
Given that the AMD vulnerability was called “Inception,” maybe they just like using movie titles to name CPU vulnerabilities?
They really should be recalled like they were forced to when the fdiv bug happened https://en.wikipedia.org/wiki/Pentium_FDIV_bug
Recall billions of processors?
I hate Intel as much as the next person, but I don’t want them to disappear overnight generating a unimaginably large processor shortage.
Blame the patent duopoly for making them too-big-to-fail™
We have a lot of that going on, but blame won’t fix the outcome. Can’t pass any laws to fix it, the government is run by the politicians.
Then subsidize them for the recall, and take a percentage of their profits every year until it’s paid back. How is it OK to pass on a manufacturer defect to all consumers?
I’m not saying that it’s not a shit sandwich. I am saying that if Intel shut down right now we’d be pretty fucked. It would be far more likely for them to shut down production and walk away, start selling off patents and equipment. The strain it would put on arm to pick up the gauntlet would probably mean you’re not going to see a new cell phone, television or new car for the next few years.
What the hell are they going to do for a recall anyway? Are you going to have them go back 5 years and try to recreate every model of CPU between then and now? None of those motherboards are going to support new things.
You get your five or $600 back on your CPU which ends up being $50 by the time it comes out of arbitration, now you need not only a new CPU but a new motherboard.
It’s like wrecking your 15-year-old beater car, insurance company gives you $150 and says go find yourself a new car.
edit: Look, Intel is worth 150 billion. if they paid $50 per processor for a couple billion refunds, they’d just go bankrupt. They’re going to run for years subsidized making 0 profit and losing all their talent. It wasn’t their intent to screw it up, but here we are. There’s a patch that makes slow processors slower honestly, that’s the end of their responsibility other than to help people get it installed.
Seems very similar to Zenbleed in terms of using certain register optimisation and speculative execution to get crippling security exploits. Thus far I haven’t read too much into the detail of the attack but This article on Zenbleed, written by the attack’s author, describes how the attack in detail and how he came to find it using fuzzing techniques - in this case two sets of instructions that should have had the same result, but they didn’t.
The write-up for this one is presumably this one.
Yikes the performance hit is scary but if you’re running a server, what option do you have?
