Thursday, February 8th 2018

Intel Deploys Microcode Update for Spectre Flaw on Skylake

In another step of our Spectre/Meltdown odyssey, Intel has started deployment of a fixed update for its Skylake processors, which aims to neuter chances of a malicious attacker exploiting the (now) known vulnerabilities. This update, which comes after a botched first update attempt that was causing widespread system reboots and prompted Intel to change its update guidelines, is only for the Skylake platform; other Intel CPUs' updates remain in Beta state, and there's no word on when they might see a final deployment.

The new microcode is being distributed to industry partners, so that they can include it in a new range of firmware updates that will, hopefully, end the instability and vulnerabilities present in current mobile and desktop Skylake implementations. Users of other Intel architectures will still have to wait a while longer before updates for their systems are certified by Intel, distributed to industry partners, and then trickle to end users via firmware updates.
Source: ArsTechnica
Add your own comment

15 Comments on Intel Deploys Microcode Update for Spectre Flaw on Skylake

#1
puma99dk|
I wish Gigabyte would get their heads out of their ****** and release a bios update for my Gigabyte Aorus GA-Z270X-Gaming 7 by now to fix this issue but the latest is the F9c from 2018/01/10 which contains "CPU Microcode" not even including a changelog of what the cpu microcode does.

I am strongly concidering going AsRock Taichi next time or Asus again even Gigabyte have some cool features like onboard Intel Thunderbolt others doesn't in the same price range.
Posted on Reply
#2
trparky
OK here's a really dumb question... If I build a new Intel system today and install this firmware update will I see the supposed performance penalty? Would I be better off waiting for the next series of Intel chips that has the fix baked into the silicon?
Posted on Reply
#3
evernessince
"trparky said:
OK here's a really dumb question... If I build a new Intel system today and install this firmware update will I see the supposed performance penalty? Would I be better off waiting for the next series of Intel chips that has the fix baked into the silicon?
Yes, you will still see the performance penalty. Intel plans to implement mitigations into the hardware this year but these are only mitigations, not full fixes and may still carry a penalty. As the fix will require architectural changes, expect it to take at least 1 1/2 - 2 years.

If you want to avoid the issue entirely just buy AMD. Meltdown doesn't work on AMD processors and they are only vulnerable to 1 variant of spectre, of which has already been patched and doesn't carry a performance penalty. Heck, Zen+ is coming out next month.
Posted on Reply
#4
Da_SyEnTisT
"puma99dk| said:
I wish Gigabyte would get their heads out of their ****** and release a bios update for my Gigabyte Aorus GA-Z270X-Gaming 7 by now to fix this issue but the latest is the F9c from 2018/01/10 which contains "CPU Microcode" not even including a changelog of what the cpu microcode does.
Every Gigabyte Board with a BIOS Release after 2018/01/10 as the same "CPU Microcode" description AND includes the first buggy spectre microcode update.

In fact Gigabyte was pretty quick with the update, they just wrote a bad description.

Now let's see how much time before they realease the new microcode
Posted on Reply
#5
Xzibit
"trparky said:
OK here's a really dumb question... If I build a new Intel system today and install this firmware update will I see the supposed performance penalty? Would I be better off waiting for the next series of Intel chips that has the fix baked into the silicon?
The updates have to make their way to the consumer which will take time. How long who knows.

Every thing intel has announced will likely be minimized the same way for a few years firmware/microcode from the start. Consumer wont worry about patches and updates. As far as baked in to the chip that will be well down the road. Years at least you'll be waiting a handful of years minimal for that.
Posted on Reply
#6
londiste
"evernessince said:
If you want to avoid the issue entirely just buy AMD. Meltdown doesn't work on AMD processors and they are only vulnerable to 1 variant of spectre, of which has already been patched and doesn't carry a performance penalty. Heck, Zen+ is coming out next month.
Well, Meltdown is irrelevant to this thread that is about Spectre patches. AMD says they are vulnerable to both Spectre variants and we have yet not seen AMDs promised microcode updates and whether these have performance penalty. Zen+ is as vulnerable as Zen when it comes to Spectre.
Posted on Reply
#7
Axaion
"Users of other Intel architectures will still have to wait a while longer before updates for their systems are certified by Intel, distributed to industry partners, and then trickle to end users via firmware updates."

Meaning. "Good luck, youre on your own, thanks for the money though."
Posted on Reply
#8
mab1376
"Da_SyEnTisT said:
Every Gigabyte Board with a BIOS Release after 2018/01/10 as the same "CPU Microcode" description AND includes the first buggy spectre microcode update.

In fact Gigabyte was pretty quick with the update, they just wrote a bad description.

Now let's see how much time before they realease the new microcode
I have it installed on my gigabyte board and didn't see much of a performance hit or reboots.

My hp folio 1040 g2 laptop on the other hand, reboots a few times a week after the patch.

Corporate IT security apps like DLP seem to suffer the most from it in my experience.
Posted on Reply
#9
R-T-B
"evernessince said:
of which has already been patched
Spectre needs microcode fixes. To my knowledge, this is the first bug-free complete fix for it. Yet to see AMDs promised microcode...
Posted on Reply
#10
evernessince
"londiste said:
Well, Meltdown is irrelevant to this thread that is about Spectre patches. AMD says they are vulnerable to both Spectre variants and we have yet not seen AMDs promised microcode updates and whether these have performance penalty. Zen+ is as vulnerable as Zen when it comes to Spectre.
Spectre and Meltdown were founds as twins and this is a security patch post, it very well is relevant. If it wasn't relevant you wouldn't feel the need to take a swipe at my post, you could have safely ignored it.

AMD is only theoretically vulnerable to one of the two spectre variants and I say that because even AMD engineers have yet to exploit it on their processors.

https://www.amd.com/en/corporate/speculative-execution

"Differences in AMD architecture mean there is a near zero risk of exploitation of this variant. Vulnerability to Variant 2 has not been demonstrated on AMD processors to date."

"R-T-B said:
Spectre needs microcode fixes. To my knowledge, this is the first bug-free complete fix for it. Yet to see AMDs promised microcode...
First, no, neither spectre requires a microcode fix

"We believe this threat can be contained with an operating system (OS) patch and we have been working with OS providers to address this issue. "

https://www.amd.com/en/corporate/speculative-execution

AMD has released OPTIONAL micro-code updates, and they are optional because AMD itself hasn't been able to show it is vulnerable to variant 2

"AMD will make optional microcode updates available to our customers and partners for Ryzen and EPYC"

Here's an official statement from ASRock

"Please refer to the AMD?�s announcement from following link.
https://www.amd.com/en/corporate/speculative-execution
The customer needs to software/OS update.
It does not affect the BIOS of the AMD motherboard.
Thank you
ASRock America Support Team"

Can't get any clearer than that. I really wish people will look this up before spreading misinformation.
Posted on Reply
#11
R-T-B
"evernessince said:
Can't get any clearer than that. I really wish people will look this up before spreading misinformation.
That's for AMD where they fully claim to be less vulnerable. This post is for Intel.

They are simply going to distribute the microcode patches via Windows Update, someday, at any rate. That's what they mean by "OS patch." The microcode is still needed. Run InSpectre on any AMD PC post meltdown patch if you do not believe me.
Posted on Reply
#12
londiste
"evernessince said:
Spectre and Meltdown were founds as twins and this is a security patch post, it very well is relevant. If it wasn't relevant you wouldn't feel the need to take a swipe at my post, you could have safely ignored it.
They were found as twins. When it comes to mitigation though, that is different for both of them as well as for Spectre variants. As you noted, AMD CPUs are not vulnerable to Meltdown and needs no patches for it. Intel CPUs do. These are the KPTI patches for Linux and similar patches for MacOS/Windows. Microcode updates (what this news/thread is about) have nothing to do with Meltdown. Microcode patches are for Spectre 2.

"evernessince said:
AMD is only theoretically vulnerable to one of the two spectre variants and I say that because even AMD engineers have yet to exploit it on their processors.
https://www.amd.com/en/corporate/speculative-execution
"Differences in AMD architecture mean there is a near zero risk of exploitation of this variant. Vulnerability to Variant 2 has not been demonstrated on AMD processors to date."
That was their initial statement. I would like to point out wording there. "Near zero risk" is quite an interesting phrase when it comes to security issues and there are examples from the past where this has come back to bite companies in their asses.

However, you might want to read the statement update from a week later - 11th. I copy-pasted this directly from your link:
  • Google Project Zero (GPZ) Variant 1 (Bounds Check Bypass or Spectre) is applicable to AMD processors.[list]
  • We believe this threat can be contained with an operating system (OS) patch and we have been working with OS providers to address this issue.
  • Microsoft is distributing patches for the majority of AMD systems now. We are working closely with them to correct an issue that paused the distribution of patches for some older AMD processors (AMD Opteron, Athlon and AMD Turion X2 Ultra families) earlier this week. We expect this issue to be corrected shortly and Microsoft should resume updates for these older processors by next week. For the latest details, please see Microsoft’s website.
  • Linux vendors are also rolling out patches across AMD products now.
  • GPZ Variant 2 (Branch Target Injection or Spectre) is applicable to AMD processors.
    • While we believe that AMD’s processor architectures make it difficult to exploit Variant 2, we continue to work closely with the industry on this threat. We have defined additional steps through a combination of processor microcode updates and OS patches that we will make available to AMD customers and partners to further mitigate the threat.
    • AMD will make optional microcode updates available to our customers and partners for Ryzen and EPYC processors starting this week. We expect to make updates available for our previous generation products over the coming weeks. These software updates will be provided by system providers and OS vendors; please check with your supplier for the latest information on the available option for your configuration and requirements.
    • Linux vendors have begun to roll out OS patches for AMD systems, and we are working closely with Microsoft on the timing for distributing their patches. We are also engaging closely with the Linux community on development of “return trampoline” (Retpoline) software mitigations.
    [/list]
  • "evernessince said:
    First, no, neither spectre requires a microcode fix
    Second one does. Intel's broken microcode updates saga has all been about this exact Spectre 2 mitigation. AMD states (in their statement quoted above from link you provided. also, you say it does yourself in the quote below) it will release microcode fixes for Spectre 2. I am not sure why you claim it is different.
    "evernessince said:
    AMD has released OPTIONAL micro-code updates, and they are optional because AMD itself hasn't been able to show it is vulnerable to variant 2
    "AMD will make optional microcode updates available to our customers and partners for Ryzen and EPYC"
    That optional part might be interesting. Linus was very annoyed with Intel when their patches had the apparent intent of defaulting Spectre mitigation to being turned off. Now AMD officially says their microcode updates are optional...
    Posted on Reply
    #13
    evernessince
    "londiste said:
    They were found as twins. When it comes to mitigation though, that is different for both of them as well as for Spectre variants. As you noted, AMD CPUs are not vulnerable to Meltdown and needs no patches for it. Intel CPUs do. These are the KPTI patches for Linux and similar patches for MacOS/Windows. Microcode updates (what this news/thread is about) have nothing to do with Meltdown. Microcode patches are for Spectre 2.

    That was their initial statement. I would like to point out wording there. "Near zero risk" is quite an interesting phrase when it comes to security issues and there are examples from the past where this has come back to bite companies in their asses.

    However, you might want to read the statement update from a week later - 11th. I copy-pasted this directly from your link:

    Second one does. Intel's broken microcode updates saga has all been about this exact Spectre 2 mitigation. AMD states (in their statement quoted above from link you provided. also, you say it does yourself in the quote below) it will release microcode fixes for Spectre 2. I am not sure why you claim it is different.
    That optional part might be interesting. Linus was very annoyed with Intel when their patches had the apparent intent of defaulting Spectre mitigation to being turned off. Now AMD officially says their microcode updates are optional...
    AMD says the microcode patches are optional because there are no know exploits that can take advantage of it on AMD processor themselves, even when AMD tried to hack it's own processors. Those patches are merely insurance just in case more advanced methods are discovered in the future, in which case AMD would already be covered.

    But in any case of the semantics of this whole security debacle, the performance impact on AMD processors are little to none (<1%).

    "I am not sure why you claim it is different."

    I'm not claiming anything different, I'm fricking quouting an official statement from one of AMD's motherboard vendors explicitly stating that BIOS updates are not needed.

    "R-T-B said:
    That's for AMD where they fully claim to be less vulnerable. This post is for Intel.

    They are simply going to distribute the microcode patches via Windows Update, someday, at any rate. That's what they mean by "OS patch." The microcode is still needed. Run InSpectre on any AMD PC post meltdown patch if you do not believe me.
    I just did and guess what, my AMD test rig is protected. Once again, I wish people would stop spreading false information.
    Posted on Reply
    #14
    R-T-B
    "evernessince said:

    I just did and guess what, my AMD test rig is protected. Once again, I wish people would stop spreading false information.
    No offense, but you just screenshotted the website. Run the utility.

    There are example exploits out for AMD spectre variant 2 right now, btw.

    "evernessince said:
    Once again, I wish people would stop spreading false information.
    I think we all want the same thing then.
    Posted on Reply
    #15
    RichF
    "londiste said:
    Well, Meltdown is irrelevant to this thread that is about Spectre patches.
    You may want to notify the OP:
    In another step of our Spectre/Meltdown odyssey
    Posted on Reply
    Add your own comment