Intel's 8th-Gen Xeon and Core Processors Feature Redesigned Hardware to Address Spectre and Meltdown Vulnerabilities

MacRumors

macrumors bot
Original poster
Apr 12, 2001
47,165
9,192



Intel CEO Brian Krzanich today announced that its next-generation Xeon Scalable (Cascade Lake) processors and its 8th-generation Intel Core processors will feature redesigned components to protect against the Spectre and Meltdown vulnerabilities that affect all modern processors.

Spectre variant 1 of the vulnerabilities will continue to be addressed in software, while Intel is implementing hardware-based design changes to offer future protection against Spectre variant 2 and Meltdown variant 3.

We have redesigned parts of the processor to introduce new levels of protection through partitioning that will protect against both Variants 2 and 3. Think of this partitioning as additional "protective walls" between applications and user privilege levels to create an obstacle for bad actors.
Intel's new Xeon Scalable processors and its 8th-generation Intel Core processors are expected to start shipping out to manufacturers in the second half of 2018.

Ahead of the hardware changes, Intel says that software-based microcode updates have now been issued for 100 percent of Intel products launched in the past five years, and all customers should make sure to continue to keep their systems up-to-date with software updates.


Krzanich also reaffirmed Intel's commitment to customer-first urgency, transparent and timely communications, and ongoing security reassurance.

Apple began addressing the Meltdown and Spectre vulnerabilities back in early January with the release of iOS 11.2, macOS 10.13.2, and tvOS 11.2, which introduced mitigations for Meltdown. Subsequent iOS 11.2.2 and macOS High Sierra 10.13.2 Supplemental updates introduced mitigations for Spectre, as did patches for both macOS Sierra and OS X El Capitan in older machines.

Apple's software mitigations for the vulnerabilities have not resulted in any significant measurable decline in performance.

Article Link: Intel's 8th-Gen Xeon and Core Processors Feature Redesigned Hardware to Address Spectre and Meltdown Vulnerabilities
 
  • Like
Reactions: robotica

gnasher729

macrumors P6
Nov 25, 2005
16,648
3,315
Linus Torvalds seems to have got early design specs, and he was let's say deeply unimpressed.

It seems that Intel's new chips can be switched to a fast + unsafe mode, or to a slow + safe mode. And by default they are running in fast + unsafe mode.

Important to notice that MacOS (and Windows, and single user Linux) are not affected because these attacks allow _attacking other users_ on the same machine if you have malware on your computer. For a single user computer, this doesn't add any new problems. Malware can attack the single user on a Mac anyway; being able to attack a second user is of very little importance.

The only problem is browsers which try to run lots of untrusted code in a sandbox, and that's where Apple probably had to take some action that might have caused a performance decline. Since these attacks rely on highly accurate timers, I think Apple just makes its timers very inaccurate when it runs JavaScript code.
 

DotCom2

macrumors 601
Feb 22, 2009
4,243
2,510
I did notice a bit of a slowdown on my iMac 27" 5K 2014 when it got patched for this. Just on the startup though .
EDIT: Oh, and on the wake screen as well.
 
Last edited:
  • Like
Reactions: MareLuce

AbSoluTc

macrumors 601
Sep 21, 2008
4,385
2,719
I was going to buy a new MacBook in January until all this came to light.

Can’t wait for new MacBooks now!
Wait, Idk there were different Meltdown and Spectre variants.

I guess I'll wait until 2019 to get a new Mac.
Yes because you both have super secretive data that everyone wants! :rolleyes:

It's a non issue for 99% of the world. Nobody is going to target the average person. There's nothing to gain. If I were going to exploit this flaw (which is pretty hard by the way), it would be on a Fortune 500 company, bank, intelligence agency or government agency that would net me something for my time and energy.

Not to see your pr0n or access the $500 dollars you have in your bank account.
 

Glmnet1

macrumors 6502a
Oct 21, 2017
953
1,054
Is this going to be applied to 8th gen CPUs already released? If so there would be 2 variants of those CPUs?

It seems a bit rushed to reassure people. I'm afraid of the possible side effects such a quick fix could have.
 

elvisimprsntr

macrumors 6502
Jul 17, 2013
355
463
Florida
I expect the first round or two of CPU HW re-designs will have some technical problems/impacts.

My mid '14 rMBP is humming along just fine. I think I can get at least another 3 years out of it. As for all my other Intel/ARM based devices (Apple, router/firewall, NAS, etc.), I am good for another 5 years.

Thank you for reducing my home infrastructure CapX for the next 3-5 years. I might just take a vacation or buy a new car.
 
  • Like
Reactions: Ener Ji

fairuz

macrumors 68020
Aug 27, 2017
2,290
2,404
Silicon Valley
These vulnerabilities were the best thing that ever happened to Intel. Now everyone is going to finally upgrade their CPUs. Sucks for anyone who bought an iMac Pro. Wish I had my brokerage account set up so I could have put in a fat buy on their down day when these were published.

"Apple's software mitigations for the vulnerabilities have not resulted in any significant measurable decline in performance."

Is there a citation for this?
It's most likely not true for certain applications. Postgres has been shown to run much slower with the Linux patches, like 10-30%. I can't imagine Apple's done anything too different.
 

rtomyj

macrumors 6502a
Sep 3, 2012
799
706
Yes because you both have super secretive data that everyone wants! :rolleyes:

It's a non issue for 99% of the world. Nobody is going to target the average person. There's nothing to gain. If I were going to exploit this flaw (which is pretty hard by the way), it would be on a Fortune 500 company, bank, intelligence agency or government agency that would net me something for my time and energy.

Not to see your pr0n or access the $500 dollars you have in your bank account.
This is 100 percent correct. The likelihood someone can even get sensitive info from RAM from a consumer product is low. Imagine a server with gigs of password or user meta data. This exploit is wasted on consumers.

Also, Apple patched it. You good.
 

JPack

macrumors 603
Mar 27, 2017
5,118
7,638
Is this going to be applied to 8th gen CPUs already released? If so there would be 2 variants of those CPUs?

It seems a bit rushed to reassure people. I'm afraid of the possible side effects such a quick fix could have.
The updated processors will have a new stepping.
 
  • Like
Reactions: Ener Ji and Glmnet1

idunn

macrumors 6502a
Jan 12, 2008
500
400
Krzanich also reaffirmed Intel's commitment to customer-first urgency, transparent and timely communications, and ongoing security reassurance.

Per my understanding the elephant in the room remains Intel ME (Management Engine). Only in public awareness a small unobtrusive mouse, quiet and unseen. But in reality a dragon.

Intel says otherwise, that Intel ME is not a backdoor into one's computer, that it would never design or condone such a thing. Yet since 2008 this has been a fundamental feature incorporated into their chips, one that oversees all, is always on if any power present, cannot be seen or known by the computer owner, whose code remains secret. Thus one has only Intel's word that it has no nefarious purposes.

So fine that they are addressing Spectre and Meltdown—after they became publicly known—but this is but part of the equation.

Since Apple uses these chips it would be nice if they were more forthcoming than Intel has been. Mr. Cook assures us that our privacy is one of his key concerns, yet Apple seems silent on the news made public recently that another company with clients such as the NSA can hack into any iPhone. So, where exactly do we stand?
 

BootsWalking

macrumors 65816
Feb 1, 2014
1,277
7,430
Linus Torvalds seems to have got early design specs, and he was let's say deeply unimpressed.

It seems that Intel's new chips can be switched to a fast + unsafe mode, or to a slow + safe mode. And by default they are running in fast + unsafe mode.

Important to notice that MacOS (and Windows, and single user Linux) are not affected because these attacks allow _attacking other users_ on the same machine if you have malware on your computer. For a single user computer, this doesn't add any new problems. Malware can attack the single user on a Mac anyway; being able to attack a second user is of very little importance.

The only problem is browsers which try to run lots of untrusted code in a sandbox, and that's where Apple probably had to take some action that might have caused a performance decline. Since these attacks rely on highly accurate timers, I think Apple just makes its timers very inaccurate when it runs JavaScript code.
Linus has unreasonable opinions about how the user/kernel domains must be always separated, irrespective of the performance penalty. What he calls "unsafe" is only unsafe if someone finds an Meltdown-like exploit in the new design - and if they do Intel is providing a safety-valve to switch back to the hammer approach by turning off the "fast" mode.
 

chabig

macrumors 603
Sep 6, 2002
6,309
3,566
Important to notice that MacOS (and Windows, and single user Linux) are not affected because these attacks allow _attacking other users_ on the same machine if you have malware on your computer. For a single user computer, this doesn't add any new problems. Malware can attack the single user on a Mac anyway; being able to attack a second user is of very little importance.
I don’t think that’s correct. macOS, Windows, and Linux are all multiuser systems with multiple levels of authenticated processes running concurrently. Whether you see it or not, you do have other “users” running on your system.
 
  • Like
Reactions: Nugget

iReality85

macrumors 6502a
Apr 29, 2008
877
1,666
Upstate NY
Intel's 8th Generation is Coffee Lake, which is already released. So does this article mean 9th Generation?

EDIT: This article is poorly worded and needs to be revised, as it is incredibly confusing and misleading.

Brian Krzanich stated, "These changes will begin with our next-generation Intel® Xeon® Scalable processors (code-named Cascade Lake) as well as 8th Generation Intel® Core™ processors expected to ship in the second half of 2018." (emphasis mine)
 
Last edited:

catportal

macrumors regular
Aug 11, 2016
126
329
Linus Torvalds seems to have got early design specs, and he was let's say deeply unimpressed.

It seems that Intel's new chips can be switched to a fast + unsafe mode, or to a slow + safe mode. And by default they are running in fast + unsafe mode.

Important to notice that MacOS (and Windows, and single user Linux) are not affected because these attacks allow _attacking other users_ on the same machine if you have malware on your computer. For a single user computer, this doesn't add any new problems. Malware can attack the single user on a Mac anyway; being able to attack a second user is of very little importance.

The only problem is browsers which try to run lots of untrusted code in a sandbox, and that's where Apple probably had to take some action that might have caused a performance decline. Since these attacks rely on highly accurate timers, I think Apple just makes its timers very inaccurate when it runs JavaScript code.
The crux of the problem is that speculative execution wasn't checking for memory protection bits. The only way to fix this is to check the memory protection bits, which introduces latency in that particular critical path. For most users this is completely unnecessary, which is why they have the unsafe mode.

The software 'patch' for this is basically to use a separate stack for any system calls, which is slow because it requires flushing the tlb.
 

The Cappy

macrumors regular
Nov 9, 2015
204
315
Dunwich Fish Market
Yes because you both have super secretive data that everyone wants! :rolleyes:

It's a non issue for 99% of the world. Nobody is going to target the average person. There's nothing to gain. If I were going to exploit this flaw (which is pretty hard by the way), it would be on a Fortune 500 company, bank, intelligence agency or government agency that would net me something for my time and energy.

Not to see your pr0n or access the $500 dollars you have in your bank account.
How do you know? It might be a LOT of pr0n. ;)
 

DotCom2

macrumors 601
Feb 22, 2009
4,243
2,510
Do you restart your computer often? Macs have had industry-leading sleep mode for 20+ years. There's no need to shut down a Mac on a nightly basis.
No, I don't. But when I have, I have noticed a bit of a slow down. More so, however, on the wake from sleep mode that I have noticed it takes longer to wake. At least on mine it does.