Given the thread discussing mitigations of the recently disclosed processor bugs, I thought it might be helpful to put together a brief reading list explaining the what and how of the bugs, and some related info.
For a not-too-technical read, i’ll first toot my own horn with regards to what some of the lessons learned from an engineering aspect (and the importance of qa generally):
The Raspberry Pi folks, in explaining why the Pi computers are not vulnerable put together a nice, easily digestible explanation of how superscalar processors, out of order execution and speculative execution work:
For the technically inclined, a deep explanation of the bugs and some poc exploit code is available from Google’s Project Zero, whose Jann Horn independently identified the same bugs the Austrian researchers did:
Dark Reading has a fairly well put together explanation discussing some of the history as well as what the exposure and risks are, much better than the non-technical press which has been in full-on chicken little mode:
The Linux Kernel Mailing List and FreeBSD Security mailing lists are good resources but likely of limited utility unless you’re really into the nitty gritty of the fixes.
It is worth noting that while the FreeBSD Project was apparently informed of the issue in December, it is unclear what the fix there might be, and they are behind Linux and Windows in delivering. Advanced notice was apparently not provided to OpenBSD (known for being extremely hard-core with regards to security), or the FreeBSD down-stream project HardenedBSD. A post regarding the current state of mitigations in the BSD worls can be found here for those interested:
Thanks for those links, and for classifying them by depth.
I see several others have posted additional links.
As you might expect Patrick Gray has a good and relevant interview, in the 10-Jan episode, with Matt Tait.
https://risky.biz/RB482/ ( starts about 2/3 in )
Good depth, and succinct.