2019-05-01_Linux_Format

Hardware security

ore than a year ago, the Meltdown and

Spectre bugs were revealed to affect

some of the most widely used

processors in the world – and throughout 2018

and even into this year, new variants and threats

based on the bugs have continued to be found.

The vulnerabilities, which appear to be

present in chips from nearly every

manufacturer, enable potential malicious users

to access protected data on a victim’s device,

and exploit speculative execution and caching

features of a CPU. While there have not been

any known attacks using these vulnerabilities,

their existence has caused shockwaves

throughout the technology world – and beyond

• due to the prevalence of the vulnerabilities.
  Since the revelations about the bugs were
  disclosed, a number of manufacturers moved
  quickly to release patches to mitigate the
  problem.However,thesesoftwarefixesaren’t
  ideal,mainlybecauseMeltdownandSpectre
  affectsfeaturesoftheCPUwhicharedesigned
  toimproveperformance,andapplyingthe
  patchesresultsinanoticeabledegradation.
  AttheendofFebruary2019,opensource
  hardwareexpertsatPhoronixnotedthatLinux
  5.0kernelperformancewasworsethan
  previouskernelreleases(readthefullarticle
  athttp://bit.ly/LXFPhoronixLinux5).This
  isaworryingtrend,askernelupdatesshould
  improveperformance,andsomereaders
  pointedoutthatthisperformanceloss
  correspondswithMeltdownandSpectre
  mitigationsbeingincludedinLinux5.0.

In fact, looking at Phoronix’s

benchmark results, there’s a clear

dip in performance starting from

Linux 4.15, with another large dip

between Linux 4.20 and Linux 5.0.

As Phoronix points out, the

Spectre/Meltdown vulnerabilities

were made public around the

time of Linux 4.14, and in-kernel

mitigations such as PTI and

Retpolines were added – which

supports many people’s fears that if

to be protected against Spectre/Meltdown,

we’re going to have to live with the performance

implications that come with software patches.

Googlehasbeenevenmorepessimistic,

recentlyreleasingananalysisofSpectre

whichcomestotheconclusionthatSpectre-like

vulnerabilitieswillneverbefullyeradicatedby

softwarepatches.Infact,Spectrecould

continuetoimpactprocessorsforthe

foreseeablefuture,whilesoftware-based

mitigationswillhaveanevengreaterimpacton

performance.Readtheentirepaperathttp://

bit.ly/LXFGoogleSpectre.Forthemomentat

least,itlookslikewe’regoingtohavetoaccept

performancehitsasapricetopayforsecurity.

The ramifications of Meltdown and Spectre continue, with Google

suggesting that there will never be a software-based fix.

Can Meltdown and Spectre

bugs ever be fixed?

M

Newsdesk

ThiS iSSUE:Googlehasameltdown Nginxisworthalot

PureOS converges Firefox Send Skype issues EU router rules

spectre will be plaguing processors for

the near future, according to Google.

Image credit: TechRadar

Meltdown andSpectreaffectS

featureS ofthe cpuwhich are

deSignedto iMprove perforMance

6 LXF249May 2019 http://www.linuxformat.com