Meltdown and Spectre

[Octopus66]

Hi Toni,

Lots of news recently regarding the CPU design flaws which can be exploited through Meltdown and Spectre. Do you expect the Windows patches for these issues to have any impact on WinUAE performance? I have read the CPU impact can vary greatly depending on the nature of the workload.

[ptyerman]

Only way to find out is to try it and see. Benchmarks are throwing out different results for different use cases currently so it's a case of carry on and see what happens.
Intel CPU's are hit the worse because of Meltdown, that causes the worst slowdowns.

[Romanujan]

FS-UAE, no JIT used, 64-bit Linux - after anti-Meltdown patch AIBB benchmark results went down by 2-4% for me.

[ptyerman]

Quote:

Originally Posted by Romanujan

FS-UAE, no JIT used, 64-bit Linux - after anti-Meltdown patch AIBB benchmark results went down by 2-4% for me.

That's not too bad then. It certainly could be worse with some use cases reporting as much as 25-30% slowdown.
It seems to effect I/O processes the most so servers are hit particularly hard, it's also having a pretty high detrimental effect on VM's according to some reports.

EDIT:
Phoronix have done some testing with VM's and Wine on Linux as well as Docker, Database performance and Compilation tasks. It can be found here.
It's worth keeping up with as new information is coming to light daily.

[Toni Wilen]

It shouldn't cause anything major, core emulation does not do any OS/kernel calls (except some timing queries), I/O stuff should be similar to games.

[ptyerman]

From all the results I've read up on, gaming is about the least effected, in some cases with no noticeable differences between KPTI enabled or disabled.
I/O is the worst effected on heavy loads such as databases and such. Basically servers and cloud computing are the hardest hit but not as much as first envisaged.

[meynaf]

These attacks require the execution of code on the target machine, so they're not that important for the prudent enough end user...

[ptyerman]

No, they'll probably have little effect on the normal user at all, just a minor slowdown with some software.
The biggest headaches are for the likes of Google, Microsoft, Facebook, Amazon and such, big server racks with big I/O and databases.

[robinsonb5]

Quote:

Originally Posted by meynaf

These attacks require the execution of code on the target machine, so they're not that important for the prudent enough end user...

That was my first thought too - then I read that the Spectre exploit has been demonstrated using javascript.

[meynaf]

Quote:

Originally Posted by robinsonb5

That was my first thought too - then I read that the Spectre exploit has been demonstrated using javascript.

This is still executing code on the machine and this is why i wrote "prudent enough" : users that don't go on dubious sites aren't really at risk.

[ptyerman]

Yeah, Spectre is the real monster in the room. A browser can be affected by it or anything else that uses javascript. Also there's no known way currently of fully protecting against it.

[nogginthenog]

I was reading a blog post about Meltdown and Spectre today and had a thought.
Is the 68060 susceptible to Meltdown or Spectre? After all, it does branch prediction.

I would hate for someone to hack my A4000

[meynaf]

Quote:

Originally Posted by nogginthenog

I was reading a blog post about Meltdown and Spectre today and had a thought.
Is the 68060 susceptible to Meltdown or Spectre? After all, it does branch prediction.

I would hate for someone to hack my A4000

The 68060 does branch prediction but not out-of-order execution which is required for these to work.

Nevertheless it's not needed on an Amiga to access system parts, just about every program can do it without any trick

But nobody will hack your A4k. Because nobody is interested in hacking an Amiga anymore, you probably don't run programs from untrusted sources, and there is no sensitive data to grab from here anyway...

[nogginthenog]

Quote:

Originally Posted by meynaf

The 68060 does branch prediction but not out-of-order execution which is required for these to work.

Are you sure? From what I understand the cache is loaded with data that might be executed which I'm pretty sure the 68060 does.

Quote:

Nevertheless it's not needed on an Amiga to access system parts, just about every program can do it without any trick

But nobody will hack your A4k. Because nobody is interested in hacking an Amiga anymore, you probably don't run programs from untrusted sources, and there is no sensitive data to grab from here anyway...

I never said I run AmigaOS on my A4000

[robinsonb5]

Quote:

Originally Posted by nogginthenog

Are you sure? From what I understand the cache is loaded with data that might be executed which I'm pretty sure the 68060 does.

The 68060 preloads the instruction cache with code that might be executed, but doesn't actually execute it. Current CPUs do actually execute the code speculatively - discarding and rolling back the results if they turn out not to be needed. The problem which Meltdown and Spectre exploit is that even after discarding the results, the speculatively executed code leaves footprints in the data cache which can be detected.

[Rotareneg]

It seems to me to be a terrible idea to allow external memory reads to occur speculatively. What happens when it speculatively reads a memory mapped I/O register that is changed by reads, like the DSKBYTR register on the Amiga, which has a bit that is cleared when the register is read from?

[meynaf]

While a 68060 can probably prefetch data for filling its DCache, it doesn't do speculative memory accesses ('xcept maybe for fetching code).
And even if it did, I/O areas are marked by the MMU as non-cacheable (or at least they should !).

x86 are immune to this - they have IN/OUT instructions for I/O.
For ARM, I don't know.

The tricks are :
- Current operating systems map the supervisor area, or at least part of it, in the user's memory (for the sake of quick OS calling).
- Current cpus (again for the sake of speed) do the memory access in the cache before checking the access rights (which takes more time).

Now wondering if this kind of attack can be done from within WinUAE in JIT mode...

[Locutus]

Quote:

Originally Posted by Rotareneg

It seems to me to be a terrible idea to allow external memory reads to occur speculatively. What happens when it speculatively reads a memory mapped I/O register that is changed by reads, like the DSKBYTR register on the Amiga, which has a bit that is cleared when the register is read from?

The page that register would be located in would have been marked as uncachable.

[Megol]

Quote:

Originally Posted by meynaf

While a 68060 can probably prefetch data for filling its DCache, it doesn't do speculative memory accesses ('xcept maybe for fetching code).
And even if it did, I/O areas are marked by the MMU as non-cacheable (or at least they should !).

x86 are immune to this - they have IN/OUT instructions for I/O.

The majority of I/O is memory mapped. The I/O instructions are legacy only and _extremely_ slow.

I could do some hw hacking faster with a Pentium than with my current system. So a 90MHz in-order processor can push out more bytes than a modern 2.5+GHz 4 core out of order processor. Slow!

Quote:

For ARM, I don't know.

The tricks are :
- Current operating systems map the supervisor area, or at least part of it, in the user's memory (for the sake of quick OS calling).
- Current cpus (again for the sake of speed) do the memory access in the cache before checking the access rights (which takes more time).

Intel do. AMD say they don't.

Quote:

Now wondering if this kind of attack can be done from within WinUAE in JIT mode...

Spectre should work but what should be attacked?
Meltdown I think not as the "68k" should only be able to access the memory of the emulated Amiga anyway. Or?

[meynaf]

Quote:

Originally Posted by Megol

The majority of I/O is memory mapped. The I/O instructions are legacy only and _extremely_ slow.

I could do some hw hacking faster with a Pentium than with my current system. So a 90MHz in-order processor can push out more bytes than a modern 2.5+GHz 4 core out of order processor. Slow!

That they are slow isn't new.
But if they are no longer used, or declared obsolete in some way, then x86 is even worse than i supposed

Quote:

Originally Posted by Megol

Intel do. AMD say they don't.

From what i've read AMD is vulnerable too, but only with Spectre - not Meltdown. But who knows.

Quote:

Originally Posted by Megol

Spectre should work but what should be attacked?

I don't know, it's purely academic question.

Quote:

Originally Posted by Megol

Meltdown I think not as the "68k" should only be able to access the memory of the emulated Amiga anyway. Or?

In theory it can access the memory outside of the emulated Amiga, bypassing the sandbox.
Whether it can work or not, depends on how the memory accesses are checked for validity. If it's just adding some offset then relying on the normal memory protection, then the memory outside can be accessed.