AMD will issue optional Ryzen and Epyc microcode updates for Spectre

Now that CES is winding down, attention is returning to the response to the major vulnerabilities caused by oversights in the way speculative execution is handled in most modern processors. Yesterday, AMD's Senior VP and CTO Mark Papermaster wrote the company's first response to the developing problem since January 3. Google's Project Zero (GPZ) divided Meltdown and Spectre into three different classes of attack, and Papermaster laid out AMD's planned response to each. Most notably, the company will issue microcode updates for Ryzen and Epyc CPUs as a preventive measure against one of the Spectre variants.

AMD's chips are vulnerable to GPZ Variant 1 (Spectre, Bounds Check Bypass). The company believes this issue can be solved with operating system patches. The chip design firm says that Microsoft is distributing patches to the majority of AMD-powered systems already, and that problems with the patches on older Opteron, Athlon, and Turion X2 systems will be resolved by next week. The company says Linux vendors are distributing patches to their users, as well.

Things are a little different when it comes to the GPZ Variant 2 vulnerability (Spectre, Branch Target Injection). On January 3 the company said:

Differences in AMD architecture mean there is a near-zero risk of exploitation by this variant. Vulnerability to Variant 2 has not been demonstrated on AMD processors to date.

The company now says that while it thinks that GPZ Variant 2 is difficult to exploit on its chips, it'll still work with its partners to release microcode updates and OS patches to mitigate the vulnerability. AMD plans to issue optional microcode updates for its current Ryzen and Epyc chips this week, and expects to have patches for previous-generation products "in the coming weeks." The updates will reach end users through system providers and OS vendors. AMD will work with Microsoft to determine the appropriate timing for distributing Windows updates. Linux vendors are already distributing patches, and AMD says it's working with the Linux community to develop "return trampoline" software mitigations.

AMD still maintains that its processors are not vulnerable to the GPZ Variant 3 exploit (Meltdown, Rogue Data Cache Load) and that no updates are needed to protect systems from it.

Papermaster also notes that the company's Radeon GPUs do not use speculative execution and that no updates to its graphics drivers or associated software are necessary. He concludes the update by remarking that AMD will continue to work with the rest of the technology industry to mitigate Meltdown and Spectre.

Comments closed
    • ronch
    • 2 years ago

    Just a thought, guys. It seems everyone’s scrambling to patch these security holes and the performance of computers everywhere will generally be impacted. Could this be a coordinated effort to make everyone’s computers slower so everyone will have more reason to upgrade?

      • just brew it!
      • 2 years ago
      • K-L-Waster
      • 2 years ago

      If you were going to go to the trouble of coordinating something like that, you would also go to the trouble of coordinating it with the release of your brand new hawtness that would just *happen* to be immune….

    • mcarson09
    • 2 years ago

    After AMD lying about not being venerable, Do you still trust them to have your interests at heart? Even ARM chips are at risk because it’s the way they are designing the chips. I expect better out of TR so I’ll just post it.

    [url<]https://www.techpowerup.com/240575/amd-confirms-they-are-affected-by-spectre-too[/url<] Google Project Zero (GPZ) Variant 1 (Bounds Check Bypass or Spectre) is applicable to AMD processors. We believe this threat can be contained with an operating system (OS) patch and we have been working with OS providers to address this issue. Microsoft is distributing patches for the majority of AMD systems now. We are working closely with them to correct an issue that paused the distribution of patches for some older AMD processors (AMD Opteron, Athlon and AMD Turion X2 Ultra families) earlier this week. We expect this issue to be corrected shortly and Microsoft should resume updates for these older processors by next week. For the latest details, please see Microsoft's website. Linux vendors are also rolling out patches across AMD products now. GPZ Variant 2 (Branch Target Injection or Spectre) is applicable to AMD processors. While we believe that AMD's processor architectures make it difficult to exploit Variant 2, we continue to work closely with the industry on this threat. We have defined additional steps through a combination of processor microcode updates and OS patches that we will make available to AMD customers and partners to further mitigate the threat. AMD will make optional microcode updates available to our customers and partners for Ryzen and EPYC processors starting this week. We expect to make updates available for our previous generation products over the coming weeks. These software updates will be provided by system providers and OS vendors; please check with your supplier for the latest information on the available option for your configuration and requirements. Linux vendors have begun to roll out OS patches for AMD systems, and we are working closely with Microsoft on the timing for distributing their patches. We are also engaging closely with the Linux community on development of "return trampoline" (Retpoline) software mitigations. [...] Mark Papermaster, Senior Vice President and Chief Technology Officer

      • bhtooefr
      • 2 years ago

      …where did AMD lie about not being vulnerable?

      They said they weren’t vulnerable to the thing that KPTI dealt with, which turned out to be Meltdown. They appear to not be vulnerable to that – AFAIK the only known CPUs that are are most Intel CPUs from 1996 on, and the ARM Cortex-A75.

    • ronch
    • 2 years ago

    What about FX and older Phenom chippers?

      • just brew it!
      • 2 years ago

      I would guess that they are vulnerable to Spectre but not Meltdown. But like I said, that’s just a guess.

    • ronch
    • 2 years ago

    How will AMD roll the update? I suppose they’ll give it to board makers who will then incorporate them in their boards’ BIOSes thus requiring users to flash their BIOS? And by being optional, does this mean users can toggle the fix somewhere? Is this how it works? Or by optional does it mean board makers are given the option to incorporate it or not?

      • just brew it!
      • 2 years ago

      Linux can apply microcode updates during OS boot if they have been packaged for your distro. Not sure if Windows has a similar mechanism (I would assume so).

        • fyo
        • 2 years ago

        Yes, Windows has the same mechanism. However MS has decided not to provide the Intel microcode updates. AMD simply says that microcode updates will be provided by “system providers and OS vendors”.

    • albundy
    • 2 years ago

    how about microcode for higher ram speed support instead.

      • NovusBogus
      • 2 years ago

      The key word here is Epyc. To date there are no known general attack vectors in play so for the typical consumer all of these mitigation patches are probably nice to have but not essential. But server land is very different, because they get specifically targeted by the serious bad guys for whom one-off exploits are common practice. They’ve had their hair on fire for weeks because a competent server administrator simply can’t afford to leave a hole like this open. After all, it’s not paranoia if everyone really is out to get you.

      Plus, I suspect the drubbing they’ve gotten as a consequence of their initial “lol Intel sux AMD roolz” position has convinced the higher ups to be less cavalier about hardware security. An attitude which they will need, because this is just the first of many hardware level exploits that will come out over the next few years.

      • just brew it!
      • 2 years ago

      Addressing security holes should take priority over catering to the needs of overclockers.

      • Bauxite
      • 2 years ago

      B-die, also you can find those on ECC and have your cake too

      • freebird
      • 2 years ago

      That is a feature of the X470 chipset coming in April.

      “The X470 motherboards should support up to DDR4-4000 after overclocking, which is a solid improvement over the 300-Series motherboards.”

      [url<]http://www.tomshardware.com/news/gigabyte-amd-zen-x470-motherboard,36309.html[/url<] I can already run my 16GB x 4 G3000 CL14 at 3200 with CL14 on my X370 Asrock, which is plenty good enough for me.

        • just brew it!
        • 2 years ago

        Not entirely clear whether that’s a feature of the chipset, or the Zen+ CPUs. I’m leaning towards the latter, since that’s where the memory controller is.

    • eloj
    • 2 years ago

    Is there even support infrastructure in place to disable specific change sets in a microcode bundle before loading it (like from firmware or the kernel)?

    The alternative is that microcode updates have now forked, so that you can get future updates without the Spectre fixes.

    If not, I’m confused by the addition of ‘optional’ to the title and text.

      • Gadoran
      • 2 years ago

      Apparently professional Linux users can disable it at its own risk.
      Under Windows i doubt Microsoft will give you the option to disable it, the only “option” is to disable the updates without receive any future assistance from MS.

    • chuckula
    • 2 years ago

    Some people think AMD might be vulnerable to variant 2.

    But I think that’s just [i<]speculation[/i<].

      • BobbinThreadbare
      • 2 years ago

      damn, you deserve the thumbs up for this

        • Gadoran
        • 2 years ago

        Still he was clearly sarcastic and AMD don’t deserve this, come on, they are “immune” from everything you know this. Intel have to die now.

          • ColeLT1
          • 2 years ago

          You know this, I know this, a s***hole chip. /s

    • johnrreagan
    • 2 years ago

    Will this push AMD to add PCID support?

      • Gadoran
      • 2 years ago

      PCID is an instruction that helps to mitigate Meltdown…..if ( big if ) i am correct obviously.

        • just brew it!
        • 2 years ago

        It’s not an instruction per se; it is additional context information which is incorporated into the TLB entries which reduce the performance penalty of the Meltdown mitigation by eliminating the need for a full TLB flush when system calls occur.

      • just brew it!
      • 2 years ago

      I believe they already have something similar, called ASID. Not sure if it is 100% equivalent, or if the current mitigation patches use it.

    • Gadoran
    • 2 years ago

    Wonder who pressed AMD to do this. Microsoft or Linux world ?
    After all even ARM was cautious about Variant 2 doing patches and telling that nearly all its Cpus are virtually unsecure, even if not demonstrated.

      • stefem
      • 2 years ago

      If not their PR department, was probably their legal department

Pin It on Pinterest

Share This