Hacker News new | comments | ask | show | jobs | submit login
Intel Security Issue Update: Initial Performance Data Results for Client Systems (intel.com)
86 points by taspeotis on Jan 12, 2018 | hide | past | web | favorite | 40 comments

Much more so than the bugs themselves it seriously undermines my confidence in Intel that in this time of emergency, they can't bring themselves to address customers with straight talk.

Clear information should take precedence over mitigating liability. Yet it's fallen to others to explain defects in their products, and people are even mostly left guessing what their attempts to fix things actually do.

Screwups happen. But do I want to go live through the consequences of one with this vendor at my side ever again?

Intel is in trouble. They've lost mobile and they're in danger of losing desktop/laptop and cloud. While AMD is some threat there, the much larger threat comes from high performance ARM64 cores. Intel would rather see AMD take market share from them than ARM, since at least AMD Ryzen is still an x64 core and will keep the architectural center of gravity in Intel's area.

Of course their longer term strategy seems to be to get ahead in areas like quantum and neuromorphic computing. This is going to keep them relevant in the long term, but in the medium to short term they could have difficulties.

Intel is also in trouble in the sense that they have multiple class action lawsuits filed against them regarding meltdown/spectre. Anything they publicly say will no doubt be used against them if possible.

I do not understand this. I get that for Meltdown, but Spectre affects almost all processors available. What grounds do they have for litigation?

Do you really think this was a screwup ?

Intel is a company that has a highly hierarchical structure and a very thorough process of product development and market approach. Add to that that they are historically one of the key examples of a company that plans their strategy many years ahead and I find it way more sane to default Meltdown to a premeditated conscious decision/tarde-off of their part. Like VW emissions scandal but worse.

"We think long term at Epic. We're like Intel. We look at what we're going to do in five to ten years from now, and set our direction that way..." Tim Sweeney in a Kotaku interview 2011

It's not obvious (at least to me) that Meltdown is caused by a performance optimization. The fix to Meltdown introduces a pessimization, sure, but that's not necessarily the same thing.

Meltdown could be a simple bug that doesn't incur a perf loss when designed for properly, but happens to require an expensive fix in the field. Does anyone know?

The performance hit is (supposedly) much more significant on Haswell and older, which they forgot to include.

Specifically, the oldest generation they tested (Skylake) is the first to have the PCID feature that avoids the complete TLB flush on every syscall.

Continuing with their strategy of full transparency..

> (Skylake) is the first to have the PCID feature

PCID was introduced with Westmere (2010). [1]

However it wasn't used in the Linux kernel until 4.14 because no one saw the need. [2]

[1] https://www.realworldtech.com/westmere/

[2] https://stackoverflow.com/questions/20155304/does-linux-use-...

But only Haswell added INVPCID.

This is the key. Without INVPCID PCID is good as useless.

How convenient.

I own haswell and haven't felt any performance impact...

    > For context, on newer CPUs such as on Skylake and
    > beyond, Intel has refined the instructions used to
    > disable branch speculation to be more specific to
    > indirect branches, reducing the overall performance
    > penalty of the Spectre mitigation.

Haswell and Broadwell introduced INVPCID support, unless there were further undocumented improvements I'm not entirely sure what this is based on.

“users who use web applications that involve complex JavaScript operations may see a somewhat higher impact (up to 10 percent based on our initial measurements).“

Ok so that’s probably most websites these days?

Yeah, my first thought was "Oh, so Gmail will be much slower then?"

Intel seems to be trying as hard as possible to define narrow scenarios in which the performance drop isn't too big and only mentioning those. In its first benchmarks, for instance, it only tested a six-core 8700K, one of its highest-end consumer products, because obviously the percentage drop would be lower on high-performance machines than on slower ones.

I have to say I am pretty PO'd regarding this. A month ago I JUST finally bought a nice new i3-7100 PC to replace my 10yo Core2Duo for Christmas. Office tasks, web games for kid, work, etc.

I have measurably noticed the decrease in speed in various web benchmarks. Enough to make it feel like I was mislead in what I thought I had purchased. I wrote down two tests I did the day I first brought PC home and have run them many times since the first patches hit Windows 10. I got two clear hits - A small hit with the Windows 10 patch, then another hit with the PCU microcode update (through a BIOS update released by Lenovo).

Windows10 x64 1709

Edge: Jetstream: 271 in Dec, 246 today. -9.2% MotionMark: 307 to 245. -20%!

Firefox: Jetstream: 199 In dec on FF-57, 175 today FF-57.0.4. -12%

That is bad enough to me that I would just take this PC back to store for money back if it was still within return timeframe. I'd rather just wait for this to be fixed at the hardware level now or wait for a Zen APU in a few months. Imagine you bought a car a month ago and today got 9-20% LESS horsepower because of a "Fix".

I can only imagine how upset cloud providers must be at this. Or any company needing every ounce of CPU performance they paid for. AutoCAD farms/rendering comes to mind.

I hope there is a class action lawsuit for anyone who bought Intel CPU's. Obviously pro-rated by how long ago you purchased. I'd definitely sign up at this point for some $ back. Problem is it will only be like $5 in my pocket after lawyers get their payday.

It's interesting to think that every CPU comparison benchmark online is invalid now. With these number, I wonder how AMD is shaping up to Intel?

When I bought a 7700k over the summer, I went by benchmarks which showed it over Ryzen for most non-parallel workloads. I suspect these numbers bring Ryzen much closer if not beyond. With all these old benchmarks online, CPU shoppers are likely to be misled.

Thinking further, I wonder how benchmarkers patch machines? Will they keep anti-virus enabled so that they receive the 2018-01 patch?

Even in these PR figures, the SYSMark 2014 SE Responsiveness test results, a benchmark addition which was specifically created to unearth pain-points in typical everyday user activities, gets a serious wallop.

> New “Responsiveness” scenario. Workloads include: application launches, file launches, web browsing with multiple tabs, multi-tasking, file copying, photo manipulation, file encryption + compression, and

gone down to 86% :-(

> As of today, we still have not received any information that these exploits have been used to obtain customer data. We know our customers are eager for updates, and via this blog, I will personally communicate with you the information that we have to share today and in the future.

Seriously? To Intel, all of the world is just overreacted?

It always bugs me when companies say they don't have any evidence of an exploit being used. It's completely meaningless without knowing how hard they looked.


The original Project Zero announcement also contained the fact that they aren't aware of in-the-wild exploits, does that mean they say they themselves are overreacting, or are they merely providing information?

It's too early to say, it's not known _yet_. Are you waiting for a first case to fix your bugs?

Where are they saying anything about not fixing bugs? And like it or not, with the issues of the available patches breaking machines, virus scanner incompatibilities, ..., organisations will have to make decisions about when to patch.

I said they said like "the world is just overreacted, and if you insist to promptly applying patch they'll provide". It's about their tone in their first statement. And you're misleading my point here.

And I really do not see how you get a "the world just overreacted" tone from this post or specifically your quote, I did not intend to mislead from your point. Their overall communication strategy has been pretty bad, but this instance seems fine to me. It's providing information. I guess they should even provide more information against patching, since they don't talk about the issues fixes can cause.

It seems like you're the one misleading and claiming something that isn't there.

OT, but that guy's picture seems amazingly inappropriate for the topic and unsettling in general.

It's not that off-topic. It's really bizarre in this context; it's the kind of appeal to "ethos" that you see in all sorts of B2B marketing.

Surely this is written by his PR department and the techies are ashamed of the numbers & interpertation.

I'm having trouble reading the table, surely they could have presented it as a graph?

Is this fixable in the next generation in hardware, or is this a permanent tax on performance going forward?

What I mean is (using a hypothetical): Suppose there's a flaw in the arithmetic unit (e.g. integer division). There's a microcode update, all integer divisions are correct, but run at 86% of previous performance. In next generation, the hardware is fixed and performance will be back up to 100% of designed performance.

Does the same type of handwaving apply to these types of security exploits?

I think Intel can take the same approach as AMD for some of the issues. For this remaining issue, I think there might be solutions with minimal performance impact when you are doing a full chip redesign. For example, have a separate branch prediction hardware for privileged code execution? An additional cache area for speculated reads?

Any data on older processors? For example I run a sandy bridge 3930k but didn’t see anything?

Also how far back are they going to patch?

    > [...] Intel expects to have issued updates for more
    > than 90 percent of processor products introduced within
    > the past five years.

Sandy Bridge is older than that.

Is SB going to remain unpatched? Those systems are still perfectly fine for consumer use. I hope business starts selling them off cheap.

Looks like Sandy Bridge is going to remain unpatched. That doesn't mean that your OS, compiler and so on won't get updates though.

With what mitigation config? IBRS? IBPB?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact