Retbleed, microcode and performance loss

bluedreams · August 27, 2022, 6:28am

I’ve been hearing about the latest cpu vulnerability, retbleed. Everything I’ve seen has suggested that the mitigation of this particular vulnerability could have a performance hit of up to 39%. Today I saw a new release of intel-microcode available in the jammy proposed repository. I checked out the git and it looks like this micro code update particularly addresses retbleed.

So my understanding is that this set of vulnerabilties, including spectre and meltdown, require local access. As a home user, this feels like a particularly intense performance hit to take for a vulnerability that seems unlikely to affect me. I’ve currently pinned that package with apt-mark until I decide what I want to do.

Is anybody else thinking about holding back on this micro code update? I’ve also seen that the linux kernel itself has implemented mitigations as of 5.19. Do those kernel level mitigations have the same performance hit?

Ulfnic · August 27, 2022, 8:21am

"Should I worry?

If you have secrets on virtual machines with shared hardware (e.g., in the cloud), you should be aware of the issue. But it’s not good for your health to worry too much."

Retbleed: Arbitrary Speculative Code Execution with Return Instructions - Computer Security Group

I’d like to see a better layman description.

PatPlusLinux · August 27, 2022, 11:04am

I’ve asked this question about other CPU mitigations, long ago in the TuxDigital matrix room.

A bunch of users don’t apply the cpu mitigations on their home desktops. Enough that it convinced me not to do so either.

As the community is full of security minded people and paranoid crockpots as well, I don’t think you’ll find a definitive answer. It’s really kind of going to boil down to what you’re comfortable with.

Ulfnic · August 27, 2022, 12:26pm

I watched the review on Security Now, it was informative but not that helpful addressing how far this goes so I asked someone in a SecOps community:

“on un-mitigated systems, yes, it can be exploited from any privilege context, including from inside a browser or even inside a VM”

I brought up that Spectre could formerly be exploited using JavaScript (which mitigations now prevent):

https://react-etc.net/entry/exploiting-speculative-execution-meltdown-spectre-via-javascript

the reply was:

"Retbleed is really just the latest instance of a Spectre/Meltdown-type vuln

Expecting them to be mitigated just because the untrusted code runs in a web browser… is pretty foolish.

Since they don’t actually exploit the browser or JS runtime in any way

But yeah, if the question is whether someone needs the mitigation, the answer is yes. They do."

Answering that… Spectre/meltdown didn’t require local access and being of the same class of vulnerability the new variant may not need local access either.

Ethanol · August 27, 2022, 10:50pm

Hopefully CPU performance can continue to outpace vulnerability mitigation performance hits.

bluedreams · September 1, 2022, 10:52pm

thanks for clarifying that! I’ve always mitigated spectre/meltdown in the past for desktop systems, regardless of the performance hit so I’ll probably do the same again. I actually realized I had already installed that microcode on my 2 laptops running Debian Sid over intel chips and I havn’t noticed any insane performance loss yet. Granted, those are pretty much just web browsers at this point.