A massive, mysterious security flaw in Intel processors is forcing a redesign of the kernel software at the heart of all major operating systems, The Register is reporting. Since the issue lies directly in Intel’s x86-64 hardware, Windows, Linux, and Mac all need to protect against it. And worse, it appears that plugging the hole will negatively affect your PC’s performance.
It’s hard to dive too technically into the issue, as major hardware and software vendors are working together quietly to fix the kernel issue before making the vulnerability public. But The Register’s reporting and comments on patch code coming in hot to the Linux kernel—with details redacted to obscure the exact nature of the vulnerability—give us insight into issue.
Here’s a high-level look at what we know so far about the Intel CPU kernel bug affecting Linux, Windows, and presumably Macs.
Intel processor kernel bug FAQ
Give it to me straight—what’s the issue here?
The bug in play here is extremely technical, but in a nutshell, the chip’s kernel is leaking memory, which could lead to extremely sensitive data being exposed to apps and hackers, or make it easier for attackers to inject malware into your PC.
What’s a kernel?
The kernel inside a chip is basically an invisible process that facilitates the way apps and functions work on your computer. It has complete control over your operating system. Your PC needs to switch between user mode and kernel mode thousands of times a day, making sure instructions and data flow seamlessly and instantaneously. Here’s how The Register puts it: “Think of the kernel as God sitting on a cloud, looking down on Earth. It's there, and no normal being can see it, yet they can pray to it.”
How do I know if my PC is at risk?
Short answer: It is. There isn’t any concrete data yet, but speculation is that the bug affects all Intel x86 CPUs produced over the past 10 years, regardless of the OS you’re running or whether you have a desktop or laptop. There are some reports that say newer Intel CPUs are less impacted than older ones, but the full extent is unclear.
So if it’s a chip problem, then Intel needs to fix it?
Yes and no. While Intel will surely address the problem in future chips, the fix for PCs in the wild needs to come from the OS manufacturer, as a microcode update won’t be able to properly repair it.
I use a Mac, so I’m OK, right?
Not this time. The vulnerability here affects all Intel x86 chips, so that means Macs are at risk too.
So, what can I do?
Not much besides updating your PC when a fix becomes available. Since the issue is such a deeply technical one there isn’t anything users can do to mitigate the potential issue other than wait for a fix to arrive.
Do you know when a fix will come?
Linux programmers are already rolling out patches to address the kernel issue, and Microsoft says a fix is incoming as well. Apple hasn’t publically announced any changes to macOS, but presumably it will arrive with the next round of updates.
So once the fix arrives then I’m good?
Well, the patch will plug the risk, but you might not like the side effects. While the fix will prevent the chip’s kernel from leaking memory, it brings some unfortunate changes to the way the OS interacts with the processor. And that could lead to slowdowns.
How much slower will my Intel PC become?
More recent Intel processors with PCID (Process-Context Identifiers) enabled are said to suffer less of a performance hit, and some applications—most notably virtualization tasks and data center/cloud workloads—are affected more than others. The Register says “we're looking at a ballpark figure of five to 30 percent slow down, depending on the task and the processor model.”
“Obviously it depends on just exactly what you do,” Linux creator Linus Torvalds wrote in the Linux Kernel Mailing List. “Some loads will hardly be affected at all, if they just spend all their time in user space. And if you do a lot of small system calls, you might see double-digit slowdown.
“It will depend heavily on the hardware too,” he continued. “Older CPUs without PCID will be impacted more by the isolation. And I think some of the back-ports won't take advantage of PCID even on newer hardware.”
Michael Larabel, the open-source guru behind the Linux-centric Phoronix website, has run a gauntlet of benchmarks using Linux 4.15-rc6, an early release candidate build of the upcoming Linux 4.15 kernel. It includes the new KPTI protections for the Intel CPU kernel flaw. The Core i7-8700K saw a massive performance decrease in FS-Mark 3.3 and Compile Bench, a pair of synthetic I/O benchmarks. PostgreSQL and Redis suffered a loss, but to a far lesser degree. Finally, H.264 video encoding, timed Linux kernel compilation, and FFmpeg video conversion tasks didn’t lose anything.
Your mileage will indeed vary, it seems. Keep in mind that Phoronix’s testing was conducted on a non-final release, and that the Linux and Windows kernels are two very different beasts, so don’t treat these as a locked-in look at what to expect from the eventual fixes for the Intel x86 kernel bug. We won't know the full extent of the slowdown on Windows and macOS machines until a patch lands.
Will my games get slower?
Probably not. Phoronix also tested Dota 2, Counter-Strike: Global Offensive, Deus Ex: Mankind Divided, Dawn of War III, F1 2017, and The Talos Principle on a Linux 4.15-rc6 machine with a Core i7-8700K and Radeon Vega 64. None saw a frame rate change outside the margin of error range.
Are AMD processors affected?
It doesn’t appear so. In a message to the Linux Kernel Mailing List, AMD’s Tom Lendacky asked for Linux’s “Kernel Page Table Isolation” (KPTI) fix to not apply to Team Red’s processors.
“AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against,” he wrote. “The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.”
AMD CPUs could potentially wind up suffering a performance hit as collateral damage, though. It depends on how the final patches for the Intel CPU kernel bug vulnerability are implemented. Operating system makers could code in exceptions for AMD processors to keep them at full speed, as Lendacky requested for the Linux kernel. But operating system vendors may also take a salted earth approach and force the fix onto all x86 processors just to be safe.
Again, we won’t know which approaches are taken until the patches are made public. The performance war between Intel's chips and AMD's new Ryzen CPUs may get even tighter, though.
That sucks! There’s nothing I can do!?
We feel your pain. But security trumps performance, so we’d rather our PCs be a little slower than exposed to hackers.