Here is the original story that broke the news:

https://www.theregister.co.uk/2018/0...u_design_flaw/

I don't think that this story has anything to do with the SPECTRE vulnerability though.

An associate at a company we would all recognize says they have tested their AMD systems for both vulnerabilities (Spectre and Meltdown) and found them vulnerable to both.

This is of course hearsay and I cannot be more specific without violating his trust, so take it with a grain of salt.

As bad as these vulnerabilities are, I am still more concerned about Rowhammer2. Spectre and Meltdown will be fixed, eventually, in hardware. To the best of my knowledge there are no plans to address Rowhammer.

AMD
https://www.amd.com/en/corporate/speculative-execution
ARM
https://developer.arm.com/support/security-update

The verbiage used by Tom Lendacky seems to be carefully constructed, specifically "that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault." I wonder if this means they aren't affected specifically by the PTI vulnerability, which is why they submitted the patch to the kernel to prevent PTI from being used on AMD processors. I haven't been able to do a ton of research, but I assume the embargo is still in place and this a lot of the information out there is (very smart) speculation done by those in the industry?

I don't really believe it was only his words, more likely the AMD lawyers composition together with his technical inputs. And, he (they) referred only to the Meltdown vulnerability (PTI):
https://en.wikipedia.org/wiki/Meltdo...vulnerability)
which, is a particularity of the speculative execution (out-of-order execution) really only affecting the Intel Chips. The general and aggravating vulnerability is Spectre and it's apparently affecting all CPUs that have HW engines for speculative execution. Mitigating Spectre would maybe require some more complex and deeper approach - modifying compilers and recompiling not only the kernel but the entire OS. We'll see, there are armies of paid engineers at these CPU manufacturers that should (hopefully) come up with some solutions.

These two papers should give more technical details about these vulnerabilities:
https://meltdownattack.com/meltdown.pdf
https://spectreattack.com/spectre.pdf

Yeah, I don't doubt it was just his words in that statement.

Looks like I have a lot of reading to do to try and get fully in the loop. I'll probably just wait a few days and see what the wikipedia pages for these cover. I don't have a ton of free time right now :(

Intel has some patches already available and deploying (I have hoped that there will be only firmware/microcode stuff):
http://nordic.businessinsider.com/in...eltdown-2018-1
https://newsroom.intel.com/news-rele...rity-exploits/

ARM is developing Whitepapers:
https://developer.arm.com/support/se...the-whitepaper

And AMD is still cooking?

I just hope this grim outlook won't materialize:
"
Spectre and Meltdown are pretty catastrophic vulnerabilities, but they only affect the confidentiality of data. Now that they -- and the research into the Intel ME vulnerability -- have shown researchers where to look, more is coming -- and what they'll find will be worse than either Spectre or Meltdown. There will be vulnerabilities that will allow attackers to manipulate or delete data across processes, potentially fatal in the computers controlling our cars or implanted medical devices. These will be similarly impossible to fix, and the only strategy will be to throw our devices away and buy new ones.
"
https://www.schneier.com/blog/archiv...and_mel_1.html

Hi,

Don't be too optimistic.
If you knew that some microcontroller manufacturer embeds backdoor into a chip targeted at avionics,
probably nothing would surprise you.

--
Best regards,
Andrzej Telszewski

<deleted>

There is new kernel with pages tables isolation (to fix kernel side of this mess): https://www.kernel.org/pub/linux/ker...ngeLog-4.4.110

I just found a page that keeps track of the updates related to Meltdown/Spectre. Although the article is in German, from a well known IT/Tech related online publication, the list points to links in English (Intel,AMD,ARM,Linux, HW Manufacturers, etc..):
https://www.heise.de/newsticker/meld...n-3936141.html

Funny enough, I own an Intel powered Dell laptop, a few years old, that is vulnerable but doesn't appear in Dell's list of affected systems/updates.

Good list, thank you!

There seem to be two camps in this -

1) The only admit to the stuff we know others have proven broken camp ( hardware manufacturers )

2) The shitlist everything until proven safe camp ( Linux kernel developers )

I know which ones I trust :)

There are obvious legal and marketing concerns/strategies that are defining the game. Business as usual. :)

I was a little confused about why Linus channeled his rant only towards Intel, being known that all modern CPUs that have speculative execution can be affected, but in his forum post he dropped a valuable piece of information:
http://www.businessinsider.com/linus...t-intel-2018-1
(original link doesn't work all the time: https://lkml.org/lkml/2018/1/3/797 )
" Why is this all done without any configuration options?
A *competent* CPU engineer would fix this by making sure speculation doesn't happen across protection domains. Maybe even a L1 I$ that is keyed by CPL. "
My speculation, without knowing too much about the complex algorithms that are embedded in this speculative execution, is that the Spectre issue might be mitigated with microcode only, imposing some discipline/configuration on these algorithms so that they cannot be influenced.

There is another question floating around about why all the speculative execution engines are affected, as they were copycat-ing each other, my view on this is that the compiler guys (SW) have dictated this uniformity and the HW guys just complied.