Intel Memory Access Design Flaw Partially Addressed by Apple in macOS 10.13.2 [Unconfirmed]

An anonymous reader shares a report: A serious design flaw and security vulnerability discovered in Intel CPUs has reportedly already been partially addressed by Apple in the recent macOS 10.13.2 update, which was released to the public on December 6. According to developer Alex Ionescu, Apple introduced a fix in macOS 10.13.2, with additional tweaks set to be introduced in macOS 10.13.3, currently in beta testing. AppleInsider also says that it has heard from "multiple sources within Apple" that updates made in macOS 10.13.2 have mitigated "most" security concerns associated with the KPTI vulnerability. A Bloomberg reporter pointed out that Apple has not officially commented on the story.

Re:Throttle CPU

[Hal_Porter]

Funny thing is that this bug is almost an example of Intel throttling old hardware. The KPTI fix is apparently less of a performance hit if you have a new Intel CPU with PCIDs

https://www.theregister.co.uk/...

Crucially, these updates to both Linux and Windows will incur a performance hit on Intel products. The effects are still being benchmarked, however we're looking at a ballpark figure of five to 30 per cent slow down, depending on the task and the processor model. More recent Intel chips have features - such as PCID - to reduce the performance hit. Your mileage may vary.

PCID - Process Context ID - means you can tag the TLB entries with a 11 bit process ID.

http://forum.osdev.org/viewtop...

Also, the Intel manual says bit 0-11 of CR3 is used as the PCID. Does it somehow related to the usual process id user mode code see? If yes, does it mean it imposes a limit on the # of user processes (4096) allowed ?

Which means you don't need to flush the whole TLB - you just invalidate the ones which belong to a process you're switching away from

http://linuxeco.com/?p=488

A PCID is a 12-bit identifier, and may be thought of as a "Process-ID" for TLBs. If CR4.PCIDE = 0 (but 17 of CR4), the current PCID is always 000H; otherwise, the current PCID is the value of bits 11:0 of CR3. Non-zero PCIDs are enabled by setting the PCIDE flag (bit 17 of CR4).

When a logical processor creates entries in the TLBs (Section 4.10.2 of the x86 prog reference manual) and paging structure caches (Section 4.10.3), it associates those entries with the current PCID (Oh ... such a loose association of PCID with PID). Note that this means that where the PGD is located is somehow being interpreted in the PID "process context". When using entries in the TLBs and paging-structure caches to translate a linear address, a logical processor uses only those entries associated with the current PCID, and hence flushes of the TLB are avoided.

Presumably you could have on PCID value for the kernel and the other 4095 for tasks and not need to go a TLB flush when switching until the PCID value wrapped.

Of course that means you need a sufficiently recent Intel CPU.

https://software.intel.com/sit...

FMA, AVX2, BMI1, BMI2, INVPCID, LZCNT, TSX - Haswell and later

I.e. you need a Haswell 4xxx processor or later

https://en.wikipedia.org/wiki/...

At least for the Linux KPTI fix it seems like it does support PCID

https://lwn.net/Articles/74060...

- Integrated all fixes and Peters rewrite of the PCID/TLB flush code.

So does the macOS fix

https://www.macrumors.com/2018...

Ionescu also says that performance drop on a system with PCID (Process-Context Identifiers), available on most modern Macs, is "minimal," so most users may not see an impact on day-to-day Mac usage.

Of course if you have an 2012 Macbook Pro you've got an i5-3210M so you don't have PCID so you'll either have an insecure machine or a performance hit.

Interesting thing is if there was a class action lawsuit, I wonder if you could get Intel to give you a new CPU with PCID to minimise the impact of the bug fix.

Thankfully PCID has around for a while...

[SuperKendall]

I was thinking only the very most recent processors had PCID, but looking at my 2013 MacBook Pro, even that has PCID (Intel Core I7). So at least from the i7 on it seems like systems may not be too affected, probably most developers have at least an i7 in current systems.