Major Intel CPU vulnerability
-
@jaredbusch said in Major Intel CPU vulnerability:
@jaredbusch said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
A base Windows license core count is sixteen. So dual proc EPYC 7251 or single proc 7281, 7301, 7351, or 7351P procs incur no Windows licensing penalties.
This is not correct unless Microsoft has updated their terms in the last 12 months and I have not heard about it.
The core based licensing that came out at the time of Server 2016 is a 16 core minimum, but that is also a 2 socket minimum. Not 16 cores on a single processor.
Looks like the datasheet no longer mentions 2 processors.
http://download.microsoft.com/download/7/2/9/7290EA05-DC56-4BED-9400-138C5701F174/WS2016LicensingDatasheet.pdfSo, that means, yes, the 16 core proc is a good deal.
The confusion comes from the transition licensing for Software Assurance. If you had more than 8 Cores per process AND 2 processors per host you needed additional core licensing grants. The operative word is AND.
This chart shows a Single socket 10 core processor not costing more, so there isn't a penalty for going over 8 core's per proc up to 16 as long as it's single socket.
Note, this is "Informational only" datasheet so my friends who do license law (yah, the lamest thing to specialize in) tend to think of these docs as "maybe's" for if they count or not.
-
@storageninja said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@dbeato said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@dbeato said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@storageninja said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
This year has really shown that Intel has no idea what they are doing. Time to get to AMD and ARM procs and stay there.
ARM's impacted.
How is ARM impacted?
@scottalanmiller said in Major Intel CPU vulnerability:
@storageninja said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
This year has really shown that Intel has no idea what they are doing. Time to get to AMD and ARM procs and stay there.
ARM's impacted.
How is ARM impacted?
They are saying all Intel, AMD and ARM devices.
https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
https://www.wired.com/story/critical-intel-flaw-breaks-basic-security-for-most-computers/Any reputable sources? I did a search and came up only with disputed claims by Intel.
Phoronix states the following:
https://www.phoronix.com/scan.php?page=news_item&px=x86-PTI-EPYC-Linux-4.15-TestJust implies that Intel paid someone to include that on other processors. Not a good sign that it is included without information.
Did you not read Linus's response? It was hilarious.
https://lkml.org/lkml/2018/1/3/797That was awesome.
-
Meanwhile, I can confirm that VMware products are NOT vulnerable to Meltdown, the newest Fusion and Workstation were also not impacted at this time (They would depend on their guest OS being patched), and currently it looks like the CVE's in the wild for Spectre are being handled by the patch that went out on Dec 19th.
https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html
Also Z-Series, Power, ARM, and AMD are impcated by Spectre. Not sure all the Intel hate is due here.... They got burned by Meltdown (which sucks if you use Xen PV which always had shit security IMHO for memory) but otherwise, this is a general-purpose multiplatform issue.
-
@storageninja said in Major Intel CPU vulnerability:
Not sure all the Intel hate is due here....
It's the unsubstantiated claims, cover up, and embargo. All unacceptable things. That they had a bug is not the issue.
-
@scottalanmiller said in Major Intel CPU vulnerability:
@storageninja said in Major Intel CPU vulnerability:
Not sure all the Intel hate is due here....
It's the unsubstantiated claims, cover up, and embargo. All unacceptable things. That they had a bug is not the issue.
The Embargo was technically the entire software industry conspiring including Linus himself. Would you rather have them released this back in June before anyone had any POC code?
-
@storageninja said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@storageninja said in Major Intel CPU vulnerability:
Not sure all the Intel hate is due here....
It's the unsubstantiated claims, cover up, and embargo. All unacceptable things. That they had a bug is not the issue.
The Embargo was technically the entire software industry conspiring including Linus himself. Would you rather have them released this back in June before anyone had any POC code?
Yes, I never support secrecy. Transparency is always more important.
-
@scottalanmiller said in Major Intel CPU vulnerability:
@storageninja said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
@storageninja said in Major Intel CPU vulnerability:
Not sure all the Intel hate is due here....
It's the unsubstantiated claims, cover up, and embargo. All unacceptable things. That they had a bug is not the issue.
The Embargo was technically the entire software industry conspiring including Linus himself. Would you rather have them released this back in June before anyone had any POC code?
Yes, I never support secrecy. Transparency is always more important.
Google breached their maximum disclosure holding for project Zero. Funny how you do that when it's your servers on the line...
-
I've read 5% - 30% performance hit, depending on what process is being done. Do we know how much this will actually affect a host/Hyper-V, rather than a server for fileservices etc?
Meaning... if fileserver... yep, 30%... but if Hyper-V host... it'll be closer to 5%. Or don't we have such info yet?
-
@jimmy9008 I don't think information is going to be reliably available until the patches are more generally available and more wide benchmarking is run.
-
@aidan_walsh said in Major Intel CPU vulnerability:
@jimmy9008 I don't think information is going to be reliably available until the patches are more generally available and more wide benchmarking is run.
That's what I thought, sadly. I guess worst case I put all non critical on two hosts, and leave the other two for critical/"high performance" systems.
-
Do we know when M$ will have a patch ready by?
-
@jimmy9008 Yesterday. The patches are being held until your AV drops a particular registry key though, as some were found to bluescreen.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
https://support.microsoft.com/en-ie/help/4073119/windows-client-guidance-for-it-pros-to-protect-against-speculative-exe
https://support.microsoft.com/en-ie/help/4072699/important-information-regarding-the-windows-security-updates-released -
@aidan_walsh said in Major Intel CPU vulnerability:
@jimmy9008 Yesterday. The patches are being held until your AV drops a particular registry key though, as some were found to bluescreen.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
https://support.microsoft.com/en-ie/help/4073119/windows-client-guidance-for-it-pros-to-protect-against-speculative-exe
https://support.microsoft.com/en-ie/help/4072699/important-information-regarding-the-windows-security-updates-releasedDoes the update have a KB number and is it rolled out to supported devices via Windows Update?
-
@jaredbusch said in Major Intel CPU vulnerability:
@scottalanmiller said in Major Intel CPU vulnerability:
A base Windows license core count is sixteen. So dual proc EPYC 7251 or single proc 7281, 7301, 7351, or 7351P procs incur no Windows licensing penalties.
This is not correct unless Microsoft has updated their terms in the last 12 months and I have not heard about it.
The core based licensing that came out at the time of Server 2016 is a 16 core minimum, but that is also a 2 socket minimum. Not 16 cores on a single processor.
I kind of what to agree about the two socket part, but for some reason I'm now thinking it was 2 socket maximum 16 core minimum. . .
-
So this bit is from this PDF about server 2016 licensing (guide from MS)
-
All physical cores on the server must be licensed, subject to a minimum of 8 core licenses per physical
processor and a minimum of 16 core licenses per server -
Core licenses are sold in packs of two.
- 8 two-core packs will be the minimum required to license each physical server. The two-core pack for
each edition is 1/8th the price of a license for a 2-processor server for corresponding Windows Server
2012 R2 editions
- 8 two-core packs will be the minimum required to license each physical server. The two-core pack for
I would take this to mean you can still have a single processor server, but no matter what you're buying for a dual processor server with a minimum of 16 cores (split across 1 or 2 processors).
-
-
So the part that really matters in the guide is this.
- 8 two-core packs will be the minimum required to license each physical server.
Microsoft doesn't seem to care about how the physical layout of your CPU setup is, so long as you're meeting the requirements.
-
@jimmy9008 said in Major Intel CPU vulnerability:
Does the update have a KB number and is it rolled out to supported devices via Windows Update?
I haven't seen them listed on any of the advisory pages, but this comes from the PatchManagement.org mailing list.
https://support.microsoft.com/en-us/help/4056893 (1507)
https://support.microsoft.com/en-us/help/4056888 (1511)
https://support.microsoft.com/en-us/help/4056890 (1607, Windows Server 2016)
https://support.microsoft.com/en-us/help/4056891 (1703)
https://support.microsoft.com/en-us/help/4056892 (1709)Edit: From BleepingComputer
https://support.microsoft.com/en-us/help/4056897 (Windows 7 SP 1, Windows Server 2008 R2 SP1)
https://support.microsoft.com/en-us/help/4056898 (Windows 8.1, Windows Server 2012 R2)They'll be out on Windows Update, and are already downloadable from the Windows Update Catalog. Again, they will only show in Windows Update if the registry condition is correct.
-
Michael Schwarz: "Using Meltdown to steal passwords in real-time" https://twitter.com/misc0110/status/948706387491786752
-
@dustinb3403 said in Major Intel CPU vulnerability:
So the part that really matters in the guide is this.
- 8 two-core packs will be the minimum required to license each physical server.
Microsoft doesn't seem to care about how the physical layout of your CPU setup is, so long as you're meeting the requirements.
This only makes sense - the physical sockets really don't matter anymore. It's good to see Licensing attempting to keep up.
-
I called up my AV vendor (Panda Security). They claim that they have tested against the new MS patches and currently there are no issues.
That said, they are still doing additional testing and have not released an update that inserts the registry key required so that Windows will auto update itself yet.
Their plan was to release their update Tuesday of next week (patch Tuesday) alongside Microsoft's update. The press releasing the information about the issue early has put them a bit behind, but they are still planning on releasing their AV update to insert the registry key.