As expected, microcode applied to fix the Intel “Downfall” bug a Google researcher discovered this week can have a severe impact on performance, according to early tests, with the performance hit reaching nearly 40 percent in select workloads.
That will pose a tough choice to consumers: if they accept Downfall BIOS patches from their system and motherboard makers to fix the problem, the performance of their CPUs could be severely affected. But they otherwise risk an attacker taking advantage of the latest CPU vulnerability to attack their PC. The Downfall bug affects a majority of PCs, from the 6th-gen “Skylake” Core chips up through the 11th-gen “Tiger Lake” processors.
Here’s what the early tests, conducted by a single researcher at Phoronix, have found. They conducted three tests, on the Intel Xeon Platinum 8380, Xeon Gold 6226R, and the Core i7-1165G7. The latter chip was the only consumer processor the researcher tested.
Because Phoronix generally chose Linux server benchmarks, the three tests used aren’t familiar ones to consumers: OpenVKL 1.3.1, an Intel volume computational benchmark; and two subtests of OPSRay, a ray-tracing benchmark. In the OpenVKL test, performance dropped by 11 percent after applying the Downfall microcode patch; in OPSRay, performance fell by 39 percent and 19 percent, respectively, after the fix was applied.
Officially, Intel does acknowledge that the Downfall patch will lower performance in specific applications, including graphic design and video editing software.
“Heavily optimized applications that rely on vectorization and gather instructions to achieve the highest performance may see an impact with the GDS mitigation update,” Intel says. “These are applications like graphical libraries, binaries, and video editing software that might use gather instructions. Our analysis has identified some specialized cases where client applications may see a performance impact. For example, certain digital art application add-ons have shown some performance impact. However, most client applications are not expected to be noticeably impacted because gather instructions are not typically used in the hot path.”
An Intel representative also shared a statement about the Downfall vulnerability:
“The security researcher, working within the controlled conditions of a research environment, demonstrated the GDS issue which relies on software using Gather instructions,” the company said. “While this attack would be very complex to pull off outside of such controlled conditions, affected platforms have an available mitigation via a microcode update. Recent Intel processors, including Alder Lake, Raptor Lake and Sapphire Rapids, are not affected. Many customers, after reviewing Intel’s risk assessment guidance, may determine to disable the mitigation via switches made available through Windows and Linux operating systems as well as VMMs. In public cloud environments, customers should check with their provider on the feasibility of these switches.”
All of this is troubling, especially if you already own an older processor. (Intel’s 12th-gen Core and 13th-gen Core chips aren’t affected by Downfall, either.) There’s another wrinkle, too: the CVE-2022-40982 (“Downfall”) vulnerability allows a user who shares a PC to steal data from other users who share the same computer.. Daniel Moghimi, the Google researcher who discovered the vulnerability, hasn’t yet reported that Downfall allows a remote attacker to steal data from your PC, though if you get tricked into installing malware on your PC, you could fall victim to the exploit.
That should give some comfort to those who live alone or don’t share their PC with anyone else, though you should make sure your antivirus software stays active and updated. (AV likely won’t detect Downfall exploits, but can find malware loads trying to sneak onto your system.) It’s a critical vulnerability for cloud providers, however; those servers are shared with multiple users, all tapping the same CPUs for a variety of applications.
So do you need to apply the Downfall patch? We can’t say for sure. You’ll have to assess your own risk and any performance penalties that a Downfall patch might cause. Moghimi, the Google researcher who discovered Downfall, recommends it however. Here is the answer to the question “can I disable the mitigation if my workload does not use Gather” on the dedicated Downfall page:
“This is a bad idea. Even if your workload does not use vector instructions, modern CPUs rely on vector registers to optimize common operations, such as copying memory and switching register content, which leaks data to untrusted code exploiting Gather.”
This story was updated at 3:25 PM with a statement from Intel.