By now you’re all familiar with the Meltdown and Spectre hacks that were revealed this past month. They were the biggest news items of the past two weeks, and no-one has any real idea of how long we’re going to be watching our backs in dealing with these issues. It’s difficult to pinpoint any date by which we’ll have fixed these issues in hardware and software, because the mitigations we’re putting in place only cover the attack vectors that we’re aware of. Spectre requires changes in architecture due to the way in which speculative execution has worked for years, and Meltdown will require a raft of changes in both software and microcode to prevent further attacks from taking place.
None of this is going to be easy, and there’s a double-whammy on the horizon for end-users: you’re going to have to upgrade your systems one way or another, particularly if you work with sensitive information, or have high-end requirements. Or if you just have something that’s plain old, because it’s only going to get slower now.
Two weeks ago, Intel published a statement on their position in mitigating Meltdown and Spectre and claimed at the time that 90% of their product lines would receive microcode updates in the coming weeks. As time passed, that statement changed, first to 90% “for all modern processors”, and then it ended up being “90% of all recent processors”. “Recent” in Intel’s case means Skylake and newer, because anything Haswell and older would receive microcode updates a little later. This is because of a recent architectural change that Intel introduced that implemented Process-Context Identifiers (PCID), which does away with one of the Meltdown mitigations and limits the performance drop quite a bit.
But it’s only a viable fix in processors that were launched after the Haswell family. Anything newer than that will see less of a performance drop. The Haswell family includes processors like the Core i7-4770K, as well as laptops that were on shelves around four years ago. Intel CEO Brian Krzanich even spent about ten minutes going off-topic during his CES 2018 keynote about the Meltdown issues and what they were doing to fix them.
When your own CEO deviates from the regular marketing spiel to try fix the message, you know things aren’t ideal.
Even less ideal was Microsoft’s revelation that consumers, even average Joes, would see noticeable performance degradations thanks to the fixes coming in the next few weeks. In a blog post released on 10 January 2018, Microsoft executive vice president Terry Myerson wrote the following:
With Windows 10 on newer silicon (2016-era PCs with Skylake, Kabylake or newer CPU), benchmarks show single-digit slowdowns, but we don’t expect most users to notice a change because these percentages are reflected in milliseconds.
With Windows 10 on older silicon (2015-era PCs with Haswell or older CPU), some benchmarks show more significant slowdowns, and we expect that some users will notice a decrease in system performance.
With Windows 8 and Windows 7 on older silicon (2015-era PCs with Haswell or older CPU), we expect most users to notice a decrease in system performance.
Windows Server on any silicon, especially in any IO-intensive application, shows a more significant performance impact when you enable the mitigations to isolate untrusted code within a Windows Server instance. This is why you want to be careful to evaluate the risk of untrusted code for each Windows Server instance, and balance the security versus performance tradeoff for your environment.
Keep in mind that the same performance drops as a result of the fixes also would apply to Apple MacOS systems as well as Linux systems. The mitigations across all three platforms are similar in nature, and they all have a drastic effect on older hardware. Intel publicly downplays the role of the mitigations in reducing performance, but when Microsoft – Intel’s biggest partner – says that you can expect a drop in general performance on most systems, you have to wonder what happened behind the scenes to spark that public disagreement.
It is in Microsoft’s best interests to show that they had no hand or choice in making these fixes and releasing them to the public (something along the lines of “we’re obligated to do the right thing”), while Intel will do its best to control the message around the performance drops and focus the attention elsewhere. In the latter case, the situation is much more dire for Intel. Its biggest customers are corporations that run datacenters and have operations focused on machine learning. If those customers experience big drops in performance and have to compensate by spending more on electricity and cooling to run their platforms at faster speeds to compensate, those reasons are grounds for them to lose business to AMD, ARM, or IBM. No-one else is affected by Meltdown.
But let’s talk about you, the little girl/guy
You’re affected in ways that you cannot control or avoid. You can’t switch off the Meltdown mitigations to regain some performance like Windows Server customers can because you might forfeit the ability to receive updates on Windows 10. You can’t pick and choose when you get to install those updates because you’re not using Windows for Workstations. Windows 10 Professional already narrowed the window in which you can pause updates, dropping from six months to just 35 days. If you’re on Windows 10 Home, you have no choices at all. You can just manually disable updates and stay unprotected and hope the tradeoff is worth whatever performance you lost previously.
If you stay on Windows 7 or 8.1, you’re still similarly vulnerable. If you refuse microcode updates, you’re still vulnerable. Heck, even if you keep your system up to date and use older hardware, you’re safe, but your system is slower as a result. If you move to Linux, you have more control over the situation, but you’ll eventually have to patch your system. This is a raw deal that we’ve been handed, and there’s no way to get out of it except by upgrading to an unaffected platform. I guess that’s why AMD has been so smug lately.
That’s why it’s also so infuriating to see tables like this one below detailing the performance drops consumers can expect to see. Intel doesn’t want to point things out with neon signs, but they can’t exactly hide it. They had known about the issues surrounding the mitigation for more than six months.
A 21% drop in performance for a patched Windows 10 installation on a Skylake system isn’t something they can just ignore. The “responsiveness” benchmark that SYSMark 2014 SE runs consists of running workloads and task switching between the following applications:
Given these results, it’s rather telling that Intel didn’t put up a Haswell system in there for comparison. And you can look forward to random reboots from applying the patches too… random reboots which affect anything from a netbook to a server in a datacenter hosting virtual machines!
Paul Thurrott suggested in a recent episode of the Windows Weekly podcast that he wouldn’t be surprised if the computer industry suddenly saw a spike in new computer sales as consumers move to newer platforms to work around the slowdowns – to be honest, neither would I. Consumers could move to AMD Ryzen-based systems and work around the bigger performance drops they might have seen on their old system, or they could move to Intel’s Coffee Lake and accept that they won’t be getting all the advertised performance post-fix.
Those among us who donned the tinfoil hat after hearing about Meltdown and Spectre have also suggested on Reddit and other message boards that Intel may have rushed the launches of Coffee Lake, Kaby Lake-X and Skylake-X in order to have their products out and selling well before Meltdown became a PR problem. Maybe some of that is true, but keep in mind that Intel’s roadmaps have been set in stone for more than two years now. Going back to the drawing board for the upcoming Cannon Lake family isn’t possible, because it too will be affected by the Meltdown mitigations and it’s too late to make significant changes to the architecture.
Either way, there’s no easy way out of this little hole the PC industry finds itself in. Switching to AMD might be the answer, but that costs money that most consumers don’t have just lying around. Using AMD’s Epyc server CPUs for cloud operations might also be viable, but switching is a time-consuming process. I expect that most server administrators and network engineers will have to weigh up the benefits of staying patched against the performance drops and decide which path is better for them. Speed, security, or stability – pick any two.
So if you’re using a machine that is ten years old, or older, now might be the time to consider upgrading it if you rely on that system’s performance to do whatever it is that you use it for daily. You don’t have to do it now, and chances are that you might not even need to depending on what you use the computer for. But you’re going to have to do it sometime if you use it professionally and need that performance boost.