Update, 1/4/18, 8:00am PT: We now have statements from several semiconductor vendors and news on the exploits. Read more at: Understanding The Meltdown And Spectre Exploits: Intel, AMD, ARM and Nvidia.
Update, 1/3/18, 1:00pm PT: Intel has responded to the reports and disputes claims of a bug.
According to recent reports, Intel and ARM processors suffer a serious hardware-level vulnerability that the vendors cannot patch via a microcode update. Addressing the vulnerability requires a significant retooling of operating systems, in particular Windows, Linux, and macOS, which reportedly causes up to a 30% reduction in performance in some workloads.
However, that number is likely overblown for the majority of applications. The overall impact of the performance regression and the specific programs impacted are poorly defined. As with many pre-release security patches, the details surrounding the bug are under NDA for now, but we expect an official update from Intel soon. Both Microsoft and Linux already have patches in the pipeline. AMD's exposure to the bug remains undefined, with some reports indicating the company's processors are immune and others stating that some models are impacted.
What We Know About The Vulnerability
The vulnerability reportedly allows programs to access protected areas of the kernel memory, but the exact nature of the bug is yet unclear. The potential exploits, and what they could do, are also undefined. We do know the fix requires separating the user and kernel memory pages with kernel page-table isolation (KPTI). Some ingrained hardware features on Intel processors, such as PCID (Process-Context Identifier), can lessen the overhead of separating the two spaces, but these features aren't present on older Intel processors.
The Performance Impact
We also know that Microsoft has already deployed patches in the fast ring Windows Insider builds. Those patches rolled out in November. Notably, there haven't been any reports of massive performance degradation from participants of the Insider Ring. Linux patches are already available. For now, the patches are confined to the operating system. It is possible that application patches could also help lessen the impact.
A note of caution: The bug will have an impact on some programs, but the chance of a widespread 30% reduction in performance is slim. Phoronix conducted testing on the patched Linux 4.15-rc6 kernel with an Intel Core i7-6800K and an i7-8700K. It tested applications that are confined to the user space, which are typically indicative of what you would see on a desktop system, and found that these applications "should see minimal change (if any) in performance." That means you will likely see little to no performance impact on your next desktop session, be it gaming or otherwise.
Phoronix did record significant performance regressions with the new kernel during select workloads, particularly synthetic I/O benchmarks. The site conducted these tests with SSDs that tend to offer varying performance based on the amount of past user activity, and the article doesn't indicate if the storage devices were correctly preconditioned. Phoronix noted the new kernel has other changes beyond the bug patch that could also impact performance, so for now, it is hard to ascertain the direct impact of the patch on these workloads.
The performance impact is more pronounced in PostgreSQL, which is an open source object-relational database system. PostgreSQL has issued a warning about performance regression that includes benchmarks showing a 17-23% reduction in performance with the new patch. Redis also appears to suffer a performance loss, but to a lesser extent.
So Much FUD
The vulnerability appears to be most dangerous to data center workloads and virtualization. However, it is irrational to assume that the overwhelming majority of data centers will see a 30% reduction in performance. Losing even 15% of the computational horsepower from a data center would be a major blow, and that compute would have to be replaced almost immediately. The patch has been in development for several months, so if Intel and the major data center operators were expecting massive performance reductions, there would have been an incredible spike in data center equipment purchases.
Also, we would have likely already seen signs of a pending financial disaster for Intel if there was a serious threat of hardware replacements to a wide swath of the data center. Intel's customers would likely be able to pursue litigation for widespread losses that are directly the fault of Intel. It's also reasonable to assume that the company would be required to replace faulty processors. For instance, Intel disclosed during its Q4 2016 earnings call that it had encountered a higher-than-expected failure rate for some of its processors, so it established a financial reserve to deal with the costs of replacements. We reported on Intel's statements, and later the fund was connected to failures in Intel's Atom C2000 processors. In no recent financial commentary has Intel disclosed the establishment of any new funds, so it appears the company doesn't foresee significant hardware replacements any time soon.
Intel CEO Brian Krzanich also recently sold $11 million in stock, which some have proclaimed is a sign that he's unloading his shares before a pending disaster. However, Krzanich sold the stock under a 10b-51 plan, which is a pre-planned sale of stocks intended to prevent insider trading. The nature of Krzanich's transactions makes it unlikely that the trades are a precursor of a major monetary loss for the company.
Currently, there are no major shifts in Intel's stock that would indicate a mass sell-off by investors. There are conflicting reports about the impact to AMD processors, and AMD's shares are currently up 5%. However, such an increase is a fairly common occurrence for the sometimes-volatile AMD stock, so the bump may be incidental; in any case, it's not out of the ordinary. Update, 1/3/18, 11:00am PT: AMD's shares are now up 9% and Intel is down 6%.
For now, we await more detail on the nature of the bug and its impact. We expect an update to emerge in a future Patch Tuesday update, but Microsoft has not listed an official release date.
The bug is locked behind a wall of NDAs at this point, which is frustrating. However, the silence is necessary to prevent a wave of exploits. We expect, and have seen already, the normal level of hyperventilation that comes with such news, but it's best to wait for more information. We have followed up with Intel for more information and will update as necessary.