SiSoftware Sandra Titanium (2018) SP4/a Update: Retpoline and hardware support

We are pleased to release SP4/a (Service Pack 4/a – version 28.61) update for Sandra Titanium (2018) with the following updates:

Sandra Titanium (2018) Press Release

  • Reporting of Operating System (Windows) speculation control settings for the recently discovered vulnerabilities:
    • Kernel Retpoline mitigation status in recent Windows 10 / Server 2019 updates
    • Kernel Address Table Import Optimisation status (as above)
    • L1TF – L1 data terminal fault mitigation status
  • Hardware Support:
    • AMD Ryzen2 (Matisse), Stoney Ridge support
    • Intel CometLake (CML), CannonLake (CNL), IceLake (ICL) support (based on public information)
  • CPU Benchmarks:
    • Image Processing: SIMD code improvement (SSE2/SSE4/AVX/AVX2-FMA/AVX512)
  • Memory/Cache Benchmarks
    • Return memory controller firmware version to Ranker
  • GPGPU Benchmarks:
    • CUDA SDK 10.1
    • OpenCL: Processing (Fractals/Mandelbrot) variable vector width based on reported FP16/32/64 optimal SIMD width.
  • Ranker, Price & Information Engines
    • HTTPS (encryption) support for all engines as well as the main website

What is Retpoline?

It is a mitigation against ‘Spectre‘ 2 variant (BTI – Branch Target Injection) that affects just about all CPUs (not just Intel but AMD, ARM, etc.). While ‘Spectre’ does not have the same overall performance impact degradation as ‘Meltdown‘ (RDCL – Rogue Data Cache Load) it can have a sizeable impact on some processors and workloads. At this time no CPUs contain hardware mitigation for Spectre without performance impact.

Retpoline (Return Trampoline) is a faster way to mitigate against it without restricting branch speculation in kernel mode (using IBRS/IBPB) and has recently been added to Linux and now Windows version 1809 builds with KB4482887. Note that it still needs to be enabled in registry via the Mitigation Features Override flags as by default it is not enabled.

What CPUs can Retpoline be used on?

Unfortunately Retpoline is only safe to use on some CPUs: AMD CPUs (though does not engage on Ryzen, see below), Intel Broadwell or older (v5 and earlier) – thus not Skylake (v6 or later).

Windows speculation control settings reporting:

Intel Haswell (Core v4), Broadwell (v5) – Retpoline enabled, KATI enabled
Kernel Retpoline Speculation Control – Enabled

Kernel Address Table Import Optimisation – Enabled

(Note RDCL mitigations KVA, L1TF are also enabled as required)

Intel Skylake (Core v6), Kabylake (v7), Skylake/Kabylake-X (v6x) – no Retpoline, KATI can be enabled
Kernel Retpoline Speculation Control – no

Kernel Address Table Import Optimisation – no/yes (can be enabled)

(Note RDCL mitigations KVA, L1TF are enabled as required)

Intel Coffeelake-R (Core v8r), Whiskeylake/AmberLake (Core v8r), CometLake* – no Retpoline but KATI enabled
Kernel Retpoline Speculation Control – no

Kernel Address Table Import Optimisation – Enabled

(Note CPU does not require RDCL mitigation thus no KVA, L1TF required)

Intel Atom Braswell (Atom v5), GeminiLake/ApolloLake (Atom v6) – no Retpoline but KATI enabled
Kernel Retpoline Speculation Control – no

Kernel Address Table Import Optimisation – Enabled

(Note RDCL mitigations KVA, L1TF are enabled as required)

AMD Ryzen (Threadripper) 1, 2 – no Retpoline, no KATI
Kernel Retpoline Speculation Control – no (should be usable?)

Kernel Address Table Import Optimisation – no (should be usable)

(Note CPU does not require RDCL mitigation thus no KVA, L1TF required)

From our somewhat limited testing above it seems that:

  • Intel Haswell/Broadwell (Core v4/v5) and perhaps earlier (Ivy Bridge/Sandy Bridge Core v3/v2) users are in luck, Retpoline is enabled and should improve performance; unfortunately KVA (Meltdown mitigation) remains.
  • Intel Coffeelake-R (Core v8r refresh), Whiskylake ULV (v8r) users do benefit a bit more for their investment – while Retpoline is not enabled, KATI is enabled and should help. Not requiring KVA is the biggest gain of CFL-R.
  • Intel Skylake (Core v6), Kabylake (v7) and Coffeelake (v8) are not able to benefit from Retpoline but KATI can work on some systems (driver dependent). However, on our Skylake ULV, Skylake-X test systems KATI could not be enabled. We are investigating further.
  • Intel Atom (v4/v5+) users should be able to use Retpoline but it seems it cannot be enabled currently. KATI is enabled.
  • AMD Ryzen (Threadripper) 1, 2 users should also be able to use Retpoline but it seems it cannot be enabled currently. While KVA is not required, mitigations for Spectre v2 are required and should be enabled. We are investigating further.

Commercial version customers can download the free updates from their software distributor; Lite users please download from your favourite download site.

Download Sandra Lite

Sandra Platinum (2017) SP4 – Updates for ‘Meltdown’ and ‘Spectre’

NB: SP4 has been refreshed to version 24.61 vs. the original 24.55 a day later.

We are pleased to release SP4 (Service Pack 4 – version 24.61) update for Sandra Platinum (2017) with the following updates:

Sandra Platinum (2017) Press Release

  • Reporting of Operating System (Windows) speculation control settings for the recently discovered vulnerabilities:
  • Reporting of latest CPU microcode update availability
    • Hardware mitigation for BTI/’Spectre’
  • Reporting of CPU features for branch control
    • Hardware enumeration and control for speculation and predictors
      • Indirect branch restricted speculation (IBRS) and Indirect branch predictor barrier (IBPB)
      • Single thread indirect branch predictors (STIBP)
      • Architecture Capabilities (affected by IB or not)
  • Reporting of CPU support for Context ID / Indirect CID
    • Hardware acceleration for context switching thus mitigating performance loss when KVA (Kernel’s Virtual Address) Shadowing is enabled.

Windows speculation control settings reporting:

Recommended Settings (Windows and CPU updated)
Operating System Mitigation: Enabled (Windows updated)

BTI Mitigation: Enabled, CPU indirect branch-control enumeration support (microcode updated)

RDCL Mitigation: KVA Shadowing enabled, Windows/CPU context-ID support

OK Settings (Windows updated, but CPU not updated)
Operating System Mitigation: Enabled (Windows updated)

BTI Mitigation: Not enabled, no CPU support (e.g. firmware not updated – check for BIOS update)

RDCL Mitigation: KVA Shadowing enabled, Windows/CPU context-ID support

OK Settings (Windows updated, but CPU not updated, no CID)
Operating System Mitigation: Enabled (Windows updated)

BTI Mitigation: Not enabled, no CPU support (e.g. firmware not updated – check for BIOS update)

RDCL Mitigation: KVA Shadowing not enabled, no context-ID support (either CPU or Windows obsolete)

Not Recommended (Windows not updated)
Operating System Mitigation: Not enabled, Windows has not been updated – install the OS update)

Processor features and microcode updates:

CPU microcode not latest
CPU has not been updated with the latest microcode update: check for an updated BIOS/firmware from the OEM/computer manufacturer.
CPU microcode w/speculation support
CPU supports IBRS/PB (indirect branch restricted speculation/predictor barrier) ennumeration as well as STIBP (single thread indirect branch predictors).
CPU supports CID or InvPCID
CPU supports either CID (Context ID) or InvPCID (Process Context ID) for faster context switch – thus mitigating performance loss.

 

Microcode Updates for Intel processors (non-exhaustive list):

 

 

Generation Old Microcode Updated Microcode
IvyBridge 3rd Gen (IVB C0) 28 2a
Haswell 4th Gen (HSW-U/Y Cx/Dx) 20 21
Haswell-X 4th Gen (HSX C0) 3a 3b
Haswell-EX 4th Gen (HSW-EX E0) 0f 10
Broadwell 5th Gen (BDW-U/Y E/F) 25 28
Crystalwell 5th Gen (CRW CX) 17 18
Broadwell 5th Gen (BDW-H E/G) 17 1b
Broadwell 5th Gen (BDX-DE V0/V1) 0f 14
Broadwell 5th Gen (BDX-DE V2) 0d 11
SkyLake 6th Gen (SKL-U/Y D0/R0) ba c2
SkyLake-X 6th Gen (SKX H0) 35 3c
KabyLake 7th Gen (KBL-U/Y H0) 62 80
KabyLake 7th Gen (KBL Y0 / CFL D0) 70 80
KabyLake 7th Gen (KBL-H/S B0) 5e 80
CofeeLake 8th Gen (CFL U0/B0) 70 80

 

Note: Due to some unexplained crashes, resume from sleep issues, etc. the current (January 2018) microcode updates have been suspended by Intel. They are scheduled to be resumed in March 2018.

In preliminary benchmarking, we have observed no or very minor performance impact to CPU, GPGPU and memory scores; disk performance for small transfers is impacted when KVA shadowing is enabled.

Commercial version customers can download the free updates from their software distributor; Lite users please download from your favourite download site.

Download Sandra Lite