
AMD Immune to MDS Vulnerabilities - Boulth
https://www.tomshardware.com/news/amd-mds-vulnerability-immune-intel,39367.html
======
tcoff91
What kind of performance penalty do all of these patches combined have on
intel chips? I’m curious how much slower an intel chip is now versus before
meltdown.

~~~
citilife
It looks like there is generally a 18% - 40% performance hit with meltdown[1]:

> On Linux distributions like Ubuntu 18.10 and Clear Linux the mitigation
> costs were about ~18% while both RHEL 8 Beta and openSUSE 15.0 had a nearly
> 40% hit.

If we look at MDS mitigation for older MACs[2], it could be 40%:

> Intel MDS Vulnerabilities Affecting 7th Gen And Below May Slow Macs By Up To
> 40%, Apple Warns

If we look at MDS mitigation generally (if Intel is to be believed) we are
looking at ~10% for most use cases[3]

> Intel's benchmarks show a 6-14 percent drop in storage performance on a
> couple of Xeon processors, both with Hyper Threading enabled. Assuming that
> Intel is not showing a worst case scenario in any of these benchmarks, the
> hit to storage could be even bigger.

> It's in workstations and data centers that mitigations are likely to have
> the biggest performance impact, depending on the workload. In a separate
> graph, for example, Intel shows a 19 percent drop in "server side Java"
> performance after disabling Hyper Threading on a Xeon Platinum 8180
> processor (compared to having it turned on).

In other words... total I have no idea what we'll be seeing. However, if we
don't look at just "raw performance" in benchmarks when buying CPUs, AMD is
likely a better purchase for most use cases at this point.

[1] [https://www.phoronix.com/scan.php?page=article&item=spec-
mel...](https://www.phoronix.com/scan.php?page=article&item=spec-
melt-8way&num=2)

[2] [https://wccftech.com/intel-mds-vulnerabilities-
affecting-7th...](https://wccftech.com/intel-mds-vulnerabilities-
affecting-7th-gen-and-below-may-slow-macs-by-up-to-40-apple-warns/)

[3] [https://www.pcgamer.com/intel-posts-benchmarks-showing-
perfo...](https://www.pcgamer.com/intel-posts-benchmarks-showing-performance-
impact-of-new-cpu-flaws/)

~~~
the8472
Phoronix just released new benchmarks covering MDS mitigations and the
combined costs of all mitigations .

[https://www.phoronix.com/scan.php?page=article&item=mds-
zomb...](https://www.phoronix.com/scan.php?page=article&item=mds-zombieload-
mit&num=1)

~~~
nullwasamistake
For the lazy: "If looking at the geometric mean for the tests run today, the
Intel systems all saw about 16% lower performance out-of-the-box now with
these default mitigations and obviously even lower if disabling Hyper
Threading for maximum security. The two AMD systems tested saw a 3%
performance hit with the default mitigations. While there are minor
differences between the systems to consider, the mitigation impact is enough
to draw the Core i7 8700K much closer to the Ryzen 7 2700X and the Core i9
7980XE to the Threadripper 2990WX."

Not looking good for Intel at the moment. It should also be noted that there's
believable rumors that the mitigations are not fully effective unless
hyperthreading is disabled.

~~~
makomk
I don't think it's just rumours. Microsoft, Apple and Red Hat have said that
full mitigation requires disabling hyperthreading. While Intel don't recommend
doing so, their justification for this is that most people don't actually
_need_ process protection anyway. They also note that "it’s important to
understand that doing so does not alone provide protection against MDS", which
is true - you need to disable hyperthreading _and_ apply additional
performance-sapping mitigations which require both microcode updates and
operating system support. The hyperthreading-based variants seem to be a lot
more powerful than the ones fixed by the other mitigations though.

~~~
nullwasamistake
Wow that's bad. With the mitigations + HT off were looking at more than 40%
performance penalty for the average benchmark based on their stats

------
dontbenebby
What's a good Linux friendly laptop which uses AMD?

~~~
zachruss92
My recommendation here is to wait a couple of months until Ryzen 3 comes out
in laptops. While an IPC boost is nice (rumors are between 10% - 20%) the real
reason I say this is because the new 7nm process should net a significant
reduction in energy consumption. AMDs demo of Zen 3 in January showed their
8c/16t CPU performed almost identical to Intel's 9900k with 1/3 less the power
consumption.

~~~
pmarcelll
Ryzen Mobile 3000-Series was already launched at CES, it's already available
in certain models. It's also worth mentioning that these are 12nm chips based
on Zen+, not 7nm and Zen 2 (the new architecture launching in a couple of
weeks).

~~~
klingonopera
Yep. The 7nm is coming in Q3/Q4 as the Ryzen 3000 for _desktop_ , the mobile
ones based on 7nm aren't even on the roadmap yet, and if, would be the
_mobile_ Ryzen 4000 series.

------
Maledictus
I don't understand why hyperthreading needs to be turned off for maximum
security? Wouldn't restricting it to only allow simultaneous threads that are
part of the same process be enough?

~~~
boulos
While that definitely restricts the attack surface, there are still situations
where you are running untrusted code within a process (e.g., JITed code
whether JavaScript or something else like eBPF). So it would require not only
the kernel scheduler to be careful about scheduling threads to cores, but
these applications as well (which is not something most people have ever
bothered with, setting thread affinity for performance, yes, for security, not
really).

~~~
Maledictus
That makes sense, thank you.

------
wiradikusuma
Since we're also talking about CPU in general here..

I'm building a PC, initially wanted to use Intel because of hackintosh. But I
don't think it's justified to have an already expensive CPU (Intel is more
expensive than AMD) gets throttled down again due to patches.

So now I'm considering AMD. What would you recommend for developer? I will use
it for Android, Docker and occasionally gaming.

(I'm aware that I most likely won't have hackintosh due to AMD)

~~~
qalmakka
You can find brand new Ryzen 7 2700X (8 cores) for very reasonable prices
after the last price cuts (we're a few months away from the 7nm ryzen 3rd
gen).

If it's still too much a Ryzen 5 2600(X) (6 cores) is still a very good
processor for almost any use case.

About hackintosh and AMD, that's is not only possible, but also not too
complicated to achieve on Mojave (see [https://vanilla.amd-
osx.com/](https://vanilla.amd-osx.com/) for more details). Older versions
required using custom AMD kernels, but some guy figured out how to patch the
vanilla kernel for Ryzen and Bulldozer straight from Clover; it's not as
simple as using Intel, but it's much easier than it was a few years back.

------
pilmihilmipilmi
Is there an option to turn off all mitigations? A public hoster is different
to my local build server where security is not an issue and only performance
counts.

~~~
quantummkv
Linux 5.2 is supposedly introducing a flag that does exactly what you want.

[https://www.phoronix.com/scan.php?page=news_item&px=Spectre-...](https://www.phoronix.com/scan.php?page=news_item&px=Spectre-
Meltdown-Easy-Switch-52)

------
beenBoutIT
When the AMD equivalent of MDS is made known and given an acronym it will be
an acronym that Intel is immune to.

~~~
rossdavidh
While it is no doubt true that there are likely some vulnerabilities in AMD's
chips that don't exist in Intel's, it is also true that because Intel has a
larger market share, that's where most of the work is going to be done to find
vulnerabilities, by the bad guys as well as security researchers. Much like
how Microsoft Windows used to have a lot more security problems than any other
OS, because they had >90% market share, so no one bothered to develop malware
for anything else.

Monocultures invite epidemics.

~~~
alexozer
I'm not exactly sure the monoculture argument is valid for Windows vs. Linux
though; Linux still dominated server usage while Windows was attacked more
often, despite the fact that you could potentially reap a much greater reward
infecting a server. Unix-based OSs were just inherently more secure for the
most part.

~~~
rossdavidh
While it's certainly true that Linux does much better on servers than
laptop/desktops, I don't think it ever got to the >90% market share that
Windows had on laptop/desktop (although admittedly that depends on whose
estimates you look at). But servers certainly do differ in regards monoculture
in important ways, relative to laptop/desktop.

It's also possibly significant that Linux on servers is split between Redhat
and Ubuntu and others, who have some non-trivial differences in regards to
security updates, etc.

None of which means that Unix-based OS's don't have inherent advantages in
regards to security, just that not having a monoculture target on their
forehead also helps.

