Friday Notebook, January 5: How will Meltdown and Spectre affect our corner of the industry?
Meltdown and Spectre news
We’re just a short week into 2018, and already we’re dealing with two huge security issues in the form of Meltdown and Spectre.
You can read official explainers
And when we say “a processor,” we really mean “just about every single processor in every device you’ve bought this century.” Though Meltdown appears to be limited to Intel chips made in the last ten years, Spectre, which is a similar exploit, but more difficult to use, affects different processors and architectures, from AMD and Intel to ARM and POWER.
Because this problem is a physical hardware problem, there’s nothing that can be done at that level to fix it. All the fixes have to be done at the OS level, where operations that would normally require some direct kernel interaction will now have to take a more circuitous route. By their very nature, these fixes will result in a performance hit, and stats from around the web suggest that, depending on the workload, it could be anywhere from a 5% - 30% reduction in speed.
This is all still fresh, and the exact workloads that will be affected aren’t known well enough to say how this will affect desktop virtualization environments. It also remains to be seen whether or not virtual Windows workloads need to be patched, or if patching the hypervisor is enough. The answer to that is likely irrelevant when it comes to the performance hit, though. Any reduction in performance (or a corresponding increase in resource consumption) is going to negatively affect our virtual environments. This will either be felt by the users in the form of slowdowns, or by IT budgets as they add more compute resources to their VDI environments. (Citrix, in their blog post with advice for customers, anticipates the need to add processing power.)
Of course, VDI workloads amount to a fraction of all the hardware organizations use, so our own IT resources are going to be taxed as we deal with this. Then, when you consider that cloud providers also use the same processors and operate at extreme levels of efficiency, you can see how we may have hit on the topic that defines 2018 just four days in.
Links to security bulletins, including Microsoft, Citrix, VMware, Amazon, and Google are available at meltdownattack.com.