[gentoo-user] Now it's AMD's turn ...

[gentoo-user] Now it's AMD's turn ...

[Michael]

[-- Attachment #1: Type: text/plain, Size: 258 bytes --]

Just in case Intel felt lonely in the vulnerabilities game, some researchers 
(also funded by Intel) managed to reveal the illusion of secure computing is 
probably in the past:

https://www.engadget.com/2020/03/08/amd-cpu-take-a-way-data-leak-security-flaw

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Now it's AMD's turn ...

[Rudi]

[-- Attachment #1: Type: text/plain, Size: 2004 bytes --]

"While Hardware Unboxed found disclosures that Intel funded the research, raising concerns about the objectivity of the study, the authors have also received backing from Intel (and other sources) for finding flaws in the company's own chips as well as other products. It appears to just be a general effort to spur security research, then. As it stands, the funding source doesn't change the practical reality -- AMD may have to tweak its CPU designs to safeguard against Take A Way attacks going forward."
While I usually side with AMD for their contributions to the Open Sourced community, I'm going to go out on a limb and say that even though they're funded by Intel the fact that they've been keeping the specifics quiet proves that they're trying to help rather than smear the name of AMD.
Hopefully this doesn't cause as much of a recoil as the Spectre/Meltdown mitigations. What % of performance was lost for those? 20?



---------------------------- 
Gregory 'Rudi' Rudolph
rudi@nmare.net
(518) 888-6156 
---------------------------- 

Verify PGP Signature via https://keybase.io/verify I am Rudi9719 

This email message and attachment(s) may contain sensitive and/or proprietary information and is intended only for the person(s) to whom this email message is addressed. If you have received this email message in error, please notify the sender immediately and destroy the original message without making a copy. Please do not transmit any sensitive, proprietary, ITARS or FOUO data via e-mail without using approved encryption techniques.


From: Michael <confabulate@kintzios.com>
Sent: Sunday, March 8, 2020, 08:30
To: gentoo-user@lists.gentoo.org
Subject: [gentoo-user] Now it's AMD's turn ...

Just in case Intel felt lonely in the vulnerabilities game, some researchers 
(also funded by Intel) managed to reveal the illusion of secure computing is 
probably in the past:

https://www.engadget.com/2020/03/08/amd-cpu-take-a-way-data-leak-security-flaw


[-- Attachment #2: Type: text/html, Size: 3096 bytes --]

Re: [gentoo-user] Now it's AMD's turn ...

[Rich Freeman]

On Sun, Mar 8, 2020 at 10:23 AM Rudi <rudi@nmare.net> wrote:
>
> While I usually side with AMD for their contributions to the Open
> Sourced community, I'm going to go out on a limb and say that even
> though they're funded by Intel the fact that they've been keeping the
> specifics quiet proves that they're trying to help rather than smear
> the name of AMD.

IMO all responsible disclosure only makes everybody safer, so if Intel
wants to fund making my AMD CPUs safer, I'm all for that.  If these
researchers can find a flaw and report it, somebody else could find it
and not report it.

> Hopefully this doesn't cause as much of a recoil as the Spectre/Meltdown mitigations. What % of performance was lost for those? 20?

That's the key.  While vulnerabilities should be avoided as much as
possible, the fact is that almost all software and hardware ends up
having them.  The real issues are:

1.  Does the vendor provide a mitigation in a timely manner?
2.  Is the mitigation free (ie software/etc)?
3.  Does the mitigation have any kind of long-term negative impact?

With meltdown the issue was #3.  Right now we don't have any
mitigation, though I can't really speak to how fast is fast enough.
Now that this is disclosed they should push to get this fixed ASAP.

-- 
Rich

Re: [gentoo-user] Now it's AMD's turn ...

[Michael]

[-- Attachment #1: Type: text/plain, Size: 2036 bytes --]

On Sunday, 8 March 2020 19:04:02 GMT Rich Freeman wrote:
> On Sun, Mar 8, 2020 at 10:23 AM Rudi <rudi@nmare.net> wrote:
> > While I usually side with AMD for their contributions to the Open
> > Sourced community, I'm going to go out on a limb and say that even
> > though they're funded by Intel the fact that they've been keeping the
> > specifics quiet proves that they're trying to help rather than smear
> > the name of AMD.
> 
> IMO all responsible disclosure only makes everybody safer, so if Intel
> wants to fund making my AMD CPUs safer, I'm all for that.  If these
> researchers can find a flaw and report it, somebody else could find it
> and not report it.

Quite!  Early disclosure and more importantly a quick mitigation to discovered 
vulnerabilities is what is desired/required.  Spats between the marketing 
departments of the oligopoly of hardware manufacturers is of little interest 
to me.


> > Hopefully this doesn't cause as much of a recoil as the Spectre/Meltdown
> > mitigations. What % of performance was lost for those? 20?
> That's the key.  While vulnerabilities should be avoided as much as
> possible, the fact is that almost all software and hardware ends up
> having them.  The real issues are:
> 
> 1.  Does the vendor provide a mitigation in a timely manner?
> 2.  Is the mitigation free (ie software/etc)?
> 3.  Does the mitigation have any kind of long-term negative impact?

It would also be nice if said vendor(s) are not imposing a lack of patches and 
microcode to force users in early obsolescence of their kit, just to boost 
their profits.


> With meltdown the issue was #3.  Right now we don't have any
> mitigation, though I can't really speak to how fast is fast enough.
> Now that this is disclosed they should push to get this fixed ASAP.

Thankfully AMDs are not affected by meltdown.  :-)

Anyhow, AMD have issued a disclaimer saying this recently published 'Take A 
Way' vulnerabilities "are not new speculation-based attacks ..."

https://www.amd.com/en/corporate/product-security

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]