How are the Linux vendors addressing the recently-exposed Intel processor flaw? I asked Red Hat and got some solid answers.
What is the nature of the problem?
Discovered some time ago, but only just yesterday brought into public view, the CPU flaw allows an attacker to bypass restrictions to gain access to privileged memory (which should be inaccessible) — possibly stealing sensitive information from computer systems, mobile devices, and cloud deployments. There are actually two problems and they’ve been dubbed “Meltdown” and “Spectre”. They potentially affect 90% of computer servers and virtually every Intel microprocessor.
The Meltdown flaw is specific to Intel while Spectre is a design flaw that has been used by many processor manufacturers for decades.
These problems seem to have come about as a result of “speculative execution” — an optimization technique that involves doing work before it is known whether that work will be needed. Correcting the vulnerabilities, therefore, comes at a performance price. More information on this tradeoff is available from this Red Hat post. Patches could slow down systems by as much as 30% — a hit that most users are likely to feel. However, the specific performance impact will be workload dependent. To address Spectre in the short term, Red Hat has modified the kernel by default to not use the performance features that enable the vulnerability. Their customers do have the option to disable the patch and use the performance features. While Red Hat is working with chip manufacturers and OEMs on a longer-term solution, this option gives customers a way to make their own security and performance decisions