01-03-2018 02:54 AM - edited 01-03-2018 02:55 AM
According to this article "Kernel memory leaking' Intel processor design flaw forces Linux, Windows redesign" there's a fundamental design flaw in Intel's processor chips, which can only be fixed by changing the hardware or patching the system. However, patching might lead to a performance loss of 30% (depending on the task and the processor model).
My question is: How is Lenovo going to deal with it and is there a way to completely deactivate the Intel Management Engine?, I don't see any option in the Bios (I have a Thinkpad P51, FW: 1.17). I have already the newest IME security patch.
PS: I could have also posted this subject in all other sections, since all new Intel x86-64 hardware is affected by it.
01-05-2018 08:08 AM
Lenovo's PSIRT (Product Security Incident Response Team) has already issued an advisory on it:
Name: Lenovo Security Advisory #LEN-18282, "Reading Privileged Memory with a Side Channel"
Lenovo is in the process of releasing updates for affected products and is continuously updating the advisory with the latest information, so I would suggest periodically checking it. I noticed several models already have some updates available; an update for the P51 is targeted for January 9th.
01-06-2018 12:24 AM - edited 01-06-2018 12:27 AM
As far as I see, Lenovo already adresses the CVE-2017-5715 spectre vulerabilty with the bios version 1.17. However, I've also noted a performance loss with my Samsung SM961 NVMe PCIe M.2 512GB (see picture).. video encoding etc. also takes a bit longer, that's not satisfying to be honest. I hope it's possible to improve the patches and mitigate the performance loss. Obviously, Intel knew about the problem since at least summer. I'm pretty sure that if customers had known about the problem, some of them would have posponed the purchase of new hardware - or buy an AMD instead, where the performance loss is negligible.
01-06-2018 05:25 AM
Given the rapid speed at which announcements and updates about the Meltdown and Spectre vulnerabilities are appearing, I suspect you are right on target: First, CPU manufacturers are going to fix-test-verify in order to validate that they have closed the vulnerability without introducing further problems, and then they are going to work on performance optimizations.
Since we are still in the very early stages of what's known and being done, I feel it's important to take a wait-and-see approach as it may take a while for fully-optimized patches to appear.
04-30-2018 12:25 AM - edited 04-30-2018 12:26 AM
If you are referring to the Meltdown & Spectre vulnerabilities, then I think you might be confused. From what I understand, Intel Mgt Engine does have/had significant security vulnerabilities (one of which requires physical access to the targeted PC), but these are not related to Meltdown or Spectre, and it's those two vulnerabilities which have led to performance-lowering patches, esp for Intel machines (due to 'speculative execution' resulting in Meltdown vulnerability).