Folding Forum

Posting here at this is specific to certain Intel CPUs running various Windows variants - If there is a better home for this please feel free to move !!

There is a Windows Patch with new Intel microcode aimed at addressing a number of security threats which may well appear in your Windows Update list at some point … and you may want to be aware of the potential impact of installing it prior to doing so and make your own decision as to the cost/benefit of doing so

I am usually very supportive of auto updating systems as soon as patches arrive - all my kit does so by default - and I tend to keep my builds a bit ahead of the curve, so it is with a bit of irony that I am posting this "heads up" about https://support.microsoft.com/en-us/hel ... de-updates

Now the patch is for all the right reasons - information security is important for the most part - but not specifically on this hardware with its current software build as I am in an unusual position of actually not gaining much (if any) benefit from the patch as the build is totally dedicated to FAH and will be blown away/rebuilt when I want to use the server for another task … but I patched anyway out of habit

Two days later having confirmed exactly what the cost of the patch is from my logs that I keep for Beta Team duties I am uninstalling the patch as I type this

Consistently over the last 48hrs my 32/56 and 24/56 slots that I run which usually push out between 250k and 300k PPD have been pushing through less than 200k PPD … What I am seeing is a reduction in WUs throughput that reduces PPD by over 25% … and Yes I have checked normal variances, yes I have compared WUs from same projects, yes I am sure the impact is this great, yes etc.

I will be doing some work to actually look into the raw processing hit on TPF so as to unpick the QRB and see how much it has actually slowed the compute down by ... various posts indicate possibly 10% or more - and it is by all accounts the compute intensive multi-threaded processes that are getting hit the worst so two Core_a7 (avx_256) on a twin 14core Xeon utilising all 56 threads may be close to a worst case scenario

Now please don't take this post as myself saying you shouldn't install/update this patch … There will be many situations where installing this is absolutely the right thing to do … I am simply pointing out that at least in my case there is a significant degradation of processing throughput - and that there may be people who like myself have the luxury of being able to not care about this level of security threat and may wish to consider carefully how much it might "impair" their system before installing.

Oh and for anyone running Intel CPUs who has been pulling their hair out trying to spot what has caused that noticeable drop in PPD - you may want to check if you received this patch about the time your reduced output started

For a non Microsoft perspective of the patch (imo actually quite well balanced) … https://meterpreter.org/microsoft-reiss ... indows-10/

So if you have an intel PC which is dedicated to F@H and no personal information is on that PC, it is safe not to take the patch.

That is the choice I am making … however, easier said than done ... The uninstall of the update worked fine … and the throughput appears (off the first two WUs in processing) to have recovered … but as I said I have my kit set for auto updating and, yes you guessed it, it has now reinstalled the update and is awaiting restart to finalise it … oh joy.

Now in the good old days you got to pick and choose updates and it was fairly simple to "hide"/"block" an update so it was never installed … this appears to be less easy so these days ... it has been a while since I have tried tbh … and I guess that even if I can block the updates then the next big release will have this Intel microcode "Fix" incorporated anyways … so this is feeling like I may dump windows for FAH purposes and throw up a Linux build instead ... not really my preferred choice as my Linux is ropey to say the least ... though since I don't GPU fold life could be worse.

I see there are Redhat/Centos/Fedora client/control/viewer rpms ... Since I have most of the recent iso images of Centos everything installs I'll start at the most recent and work backwards until I find one that works

Neil-B wrote:I see there are Redhat/Centos/Fedora client/control/viewer rpms ... Since I have most of the recent iso images of Centos everything installs I'll start at the most recent and work backwards until I find one that works

I can provide help setting up FAH under Fedora 32 since I've installed it on a few machines recently. There are a number of things that need to be done like installing the latest updates, fixing the path to python2 in the FAHClient script, adding the rpmfusion repos and installing akmod-nvidia, installing xorg-x11-drv-nvidia-cuda and ocl-icd-devel, opening up firewall ports for FAH and sshd for remote management, and optionally setting PowerMizer to prefer max performance, stopping lightdm from starting or installing powertop to tweak the power management.

Thanks for the offer ... but for various work related reasons if I end up switching to Linux it will be Centos - long story not worth telling

I may well smack my head against Windows for a day or two first and see if I can limit its exuberant update tendencies ... have a bit of spare time with the current circumstances.

Neil-B wrote:Thanks for the offer ... but for various work related reasons if I end up switching to Linux it will be Centos - long story not worth telling

Fedora and CentOS are very similar and most everything is probably the same when installing FAH. CentOS is like a stable version of Fedora with less bleeding edge versions of packages.

I may well reach out to you if/when I run into issues then - Again, Thanks for the offer

https://www.zdnet.com/article/linus-tor ... op-attack/

Think I have managed to put that KB back in its box for the time being … Microsoft have a slightly awkward way using a utility called wushowhide https://support.microsoft.com/en-my/hel ... -in-window ... I'll see how long I can manage to keep it at bay - may still Linux and grab a build pre the Linux implementations of the microcode (Thanks for the link JimboPalmer).

There is a flag in newer Linux kernels to disable the security fixes and improve performance slightly. How much of a difference FAH would see I don't know since I haven't tested it (yet).

https://www.reddit.com/r/BOINC/comments ... boinc_box/
https://linuxreviews.org/HOWTO_make_Lin ... Intel_CPUs
https://www.phoronix.com/scan.php?page= ... wn-2&num=1

If/When you do test please could you post to this thread as I would definitely be interested in knowing if Linux is as dramatically impacted as my system seems to be.

Here is a step by step instruction on how to apply the mitigations=off option in linux:
https://linuxreviews.org/HOWTO_make_Lin ... ast_(again)_on_Intel_CPUs

If anyone happens to end up with PPD figures for their setups before and after installation of the Intel microcode updates it would be good if they could post them with an indication of their kit setup and slots so everyone can get a real feel for how these are/may impact their systems ...TVM in advance

With regards to considerations regarding security, as far as I understand no patch fixes Intel's hyper threading security gap anyway. By default, a whole lot of Intel CPUs pose a security risk whether microcode patches are applied or not, unless HT is disabled.
Certainly, it might be better to patch a few gaps and live with one (HT), than leaving the door wide open, but then again, how much of a target is the average person? Are these exploits a real concern for everyone, seeing how much personal information we already share by using smartphones & free apps or any Google products for that matter? Or are these security concerns more applicable on a corporate or government level, like banks, insurances, control of infrastructure, military, etc?

On a desktop that is used daily, then applying any security patches might be worth it. On a Windows machine you use day to day, definitely. On a Linux machine used day to day, I probably wouldnt bother. Most malware generally targets Windows.

For a headless folding server that probably sits behind a decent firewall and does nothing but fold and connect to folding servers, not so much. I would go with max PPD for anything headless. Just configure your firewall to deny anything but ssh (use a certificate/key instead of password and set it up to deny on password), dns and anything folding related..