Latest news:
- Reading the tech docs by Horn I find it incredibly interesting that the "Spectre variant #1" problem is basically the same thing as a statistical timing on password validation algorithms, much like PHP faced when it decided to write its own constant-time password handling routines. So this really isn't a pipeline leak flaw per se, it's using timing of a read to determine if an out-of-bounds read was cached or not, to determine inaccessible memory a bit at a time. Most of the non-tech articles make it sound like Intel made some horrible buggy design choice. But just as no one thought about password compare timing attacks 20 years ago, so no one thought about timing attacks on the cache subsystem. I certainly didn't. These attack vectors are getting insanely smart, and now that the timing genie is out of the bottle I expect timing flaws to pop up everywhere.
- Looks like Intel is releasing firmware (and patches) that addresses the two (actually, three) issues. Not sure how much it actually addresses, or how it's doing it. Regardless, looks like Intel's fixes will trigger the 5-30% performance hit. They claim future updates will "mitigate that impact" through "improvement" (read: optimization). I, for one, am not buying the feel-good press releases that make it sound like one fw update and you can ignore this issue. What Intel is doing/saying directly contradicts numerous other "firmware can't fix it" reports elsewhere.
- Intel is only releasing updates for products "introduced within the past five years", so far. My take is you won't see much work on stuff older than that. So there goes a ton of systems I manage -- my M.O. is to squeeze extra life out of good ECC boxes. Also, if all this new fw is mobo-targeted, this won't help the vast majority of the world who has Taiwan-Inc 3rd party mobos. They will have to release new fw, and my guess is Tier-2 Taiwan-Inc aren't going to go back 5 years like Intel is.
- Will fw fixes cause OS devs to not double-fix the same problems? Methinks Linus et al will not tolerate the hw-vendor mantra of "screw those with 5+ year old hw". A best-case scenario would be OS vendors completely working around these flaws (if possible) and Intel (et al) working to implement complementary microcode tweaks that reduce the performance impact.
- Apparently Google has a "chip-level patch" (i.e. microcode?) that vastly reduces the performance hit. They call it "Retpoline". Not sure how that's going to fit into the equation.