Conversation
Notices
-
#POWER8 and prerelease variants of #POWER9 vulnerable to #Meltdown (CVE-2017-5754) and #Spectre (CVE-2017-5753 / CVE-2017-5715). #POWER9 is being patched and will not be vulnerable at ship, and there will be no performance loss versus current #POWER9 samples. Patches coming soon.
- ? (。◕‿‿◕。), Tim Howes and mangeurdenuage and 2 others like this.
-
IBM's page is vague and just refers to firmware and OS patches being necessary: https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/
@raptoreng to confirm, POWER8 and POWER9 prerelease chips are vulnerable to all three CVEs?
Is the patch you refer to a microcode update, or an actually change to silicon?
-
Yes, we are aware of IBM's lack of information on that page. We are disclosing some of the details of the issue to keep our security-conscious customers informed.
In a nutshell, only the DD2.2 silicon changes were needed. DD2.2 silicon is able to close off these security holes, with the exception of the Spectre same-process read vulnerability that affects the entire CPU industry, with only changes to firmware and a small kernel change. Note that the kernel change is minimally invasive and is not related to the 30% performance loss Intel KPTI mitigation.
-
Could you explain what production stepping code means? It confuses me since the RCS Wiki shows:
POWER8 - DD2.0
POWER8E - DD2.1
POWER9 - DD2.2
which just looks like sequential architecture numbering at first glance. What was the stepping code for the preproduction samples?
-
While you are correct that there is a pattern of steppings, this is entirely coincidental and reflects additional steppings that were required for POWER8E, and then even more that were needed for POWER9.
Preproduction samples of POWER9 are generally DD1.2 (now unsupported by firmware), DD2.01 (second prototype pass, supported but with serious defects), and DD2.1 (almost fully functional but with defects requiring another stepping). DD2.1 is what we're basing our no performance loss comparison against.
-
To be precise, POWER9 DD2.2 silicon or later should be safe from which CVEs exactly? Is the kernel change you refer to the retpoline patch? Which CVE is the Spectre same-process read vulnerability?
CVE-2017-5715 (Spectre - GPZ variant 2)
CVE-2017-5753 (Spectre - GPZ variant 1)
CVE-2017-5754 (Meltdown - GPZ variant 3)
Also relevant to prospective customers; IBM's bulletins on this issue and FixCentral refer to only IBM products:
https://www-01.ibm.com/support/docview.wss?uid=isg3T1026811
In the event of a future vulnerability, will firmware patches for POWER9 chips be available from IBM directly, or does IBM provide firmware only to board manufacturers (such as yourself)?
-
We're tracking information on Spectre and Meltdown here:
https://wiki.raptorcs.com/wiki/Speculative_Execution_Vulnerabilities_of_2018
As far as future updates are concerned, firmware patches for OpenPOWER systems will be posted to the official IBM OpenPOWER GitHub repositories, and also to our repositories as soon as the patches are integrated into our firmware stack.