Opteron 6000 series the most secure x86-64 microarch of the past decade [re-post]
I'm re-posting this excellent comment from the Phoronix forum in support of the Opteron 6000 series CPUs on the fsf-approved and Libreboot-able ASUS KGPE-D16 motherboards.[1] I'm re-posting it here because the data is really good, and because Phoronix is almost impossible to search for information without using the site's own proprietary Google search tool.
The post is in response to a Phoronix article by editor Michael Larabel, who complained about the ASUS KGPE-D16 being in the FSF's annual giving guide:
>"The ASUS KGPE-D16 is from the AMD Opteron 6000 series days and has DDR3-1600 memory support. Besides having the open-source firmware it's hard to argue in favor of it especially given the era of today's CPU security vulnerabilities and long outdated CPUs not seeing any microcode updates or any formal security guidance"
User @torsionbar28 responded with a post that is packed with facts about the extremely high degree of security of the Opteron 6000 series of CPUs:
>"No not really. Actually, that's one benefit of the Fam 15h server chips from AMD - there are no unmitigated CPU security vulns that impact the Opteron 6000 series. None! The only vulns it's affected by are a couple of the Spectre variants, which are mitigated in the OS.
Here's the output from the latest spectre-meltdown-checker.sh script on my Opteron 6386 server:
* Affected by CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
* Affected by CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
* Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): NO
* Affected by CVE-2018-3640 (Variant 3a, rogue system register read): NO
* Affected by CVE-2018-3639 (Variant 4, speculative store bypass): YES
* Affected by CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO
* Affected by CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): NO
* Affected by CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): NO
* Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): NO
* Affected by CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): NO
* Affected by CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): NO
* Affected by CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): NO
* Affected by CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)): NO
* Affected by CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)): NO
* Affected by CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)): NO
All those 'NO' line items mean the chip does not have that vuln. Intel chips of the same era would be all yes's. The only three 'yes' entries are for Spectre, and all three are mitigated in the Linux kernel:
Code:
spectre_v1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization
spectre_v2 : Mitigation: Retpolines, IBPB: conditional, STIBP: disabled, RSB filling, PBRSB-eIBRS: Not affected
spec_store_bypass : Mitigation: Speculative Store Bypass disabled
Opteron, as old as it is now, is the most secure x86-64 microarch of the past decade. Of course if any new Opteron hardware vulns are discovered, it won't get a microcode update. But as of today, it's about as secure as you can get."
All credit to Phoronix user @torsionbar28, I hope they don't mind me re-posting this for archival purposes here. If they do mind, I hope they will leave a response here and I can delete the material, or email me at my screenname at disroot[dot]org.