Spectre- and Meltdown-hardened Intel CPUs will arrive later this year

As part of its earnings call yesterday, Intel CEO Brian Krzanich shared some of the measures the company is taking to harden its chips against the Spectre and Meltdown attacks. Krzanich says that the company "is working to incorporate silicon-based changes to future products that will directly address the Spectre and Meltdown threats in hardware," and he promises that the first products with those mitigations "will begin appearing later this year."

It's important to note that Krzanich describes the company's work on Meltdown and Spectre in both software and hardware as "changes" and "mitigations," not "fixes." That's because similar, as-yet-undiscovered or as-yet-unexploited microarchitectural attacks could still arise in products as complicated as modern CPUs, as noted by one of the original publications regarding the Spectre attack. It's improbable that future Intel products could be made immune to such attacks in such a short time frame.

In the meantime, Intel is continuing to work with its partners to provide firmware and software updates for existing systems to mitigate Meltdown and Spectre, and it's set up a dedicated portal for affected users to keep track of the latest news regarding those efforts. Whether those fixes will extend to any of the oldest affected systems remains to be seen—I'm still waiting on firmware updates for some of the most recent systems in the TR labs as it stands—but we can hope.

Comments closed
    • Dygear
    • 2 years ago

    This sounds like a pretty good reason for them to DOCUMENT THEIR ENTIRE INSTRUCTION SET. This security though obscurity bullshit has got to go.

      • just brew it!
      • 2 years ago

      The instruction set [i<]is[/i<] fully documented. This was a "side channel" attack. Unintended consequences. An attacker has to execute a meticulously crafted sequence of operations, observing how that affects the timing of subsequent operations, and use that timing information to indirectly infer the contents of memory locations they should not have been able to read. It's really a very clever attack.

    • Lord.Blue
    • 2 years ago

    I can’t even begin to fathom the amount of e-waste this is going to generate due to people upgrading their systems, throwing out CPUs, Mainboards, RAM, etc…

    • ronch
    • 2 years ago

    In the meantime, folks who can’t wait may contact Intel for a free tinfoil hat.

      • willmore
      • 2 years ago

      That might be a more effective mitigation than what they’ve released so far. ๐Ÿ˜‰

      • just brew it!
      • 2 years ago

      I wonder how many customers will put off planned upgrades waiting for the “fixed” CPUs? If the answer is “a lot”, maybe you could get a silicon hat, made from surplus wafers of Meltdown-susceptible CPUs! ๐Ÿ˜‰

      TBH I figure the people holding off planned upgrades will be offset by people wanting to upgrade to something that doesn’t take as big of a performance hit from the microcode/software mitigation, so it’ll probably be close to a wash.

        • willmore
        • 2 years ago

        I think the datacenter will show this the most. They’re generally on very fixed (budgetary cycle) schedules for purchases. If Intel doesn’t have a product, then they have to buy what they can get and that’s currently AMD.

        This might be the ‘toe in the door’ that AMD needed.

      • Prestige Worldwide
      • 2 years ago

      Or join the class-action of their choosing ๐Ÿ™‚

    • tipoo
    • 2 years ago

    I wonder if they’ll just switch to the AMD method where less privileged code can’t speculatively execute in privileged memory, in the short term. In theory not totally immune, but makes an exploit very very hard.

      • Klimax
      • 2 years ago

      According to former Intel engineer that shouldn’t be happing in Intel’s CPU either. (Load should be rejected far sooner)

      [url<]https://www.moesif.com/blog/technical/cpu-arch/What-Is-The-Actual-Vulnerability-Behind-Meltdown/[/url<] And Linus seems to concur that fix shouldn't be too problematic: [url<]https://www.realworldtech.com/forum/?threadid=174129&curpostid=174150[/url<]

        • freebird
        • 2 years ago

        Linus also thinks Intel Management is INSANE for the FIX that they are planning…
        as the article here:
        [url<]https://www.theregister.co.uk/2018/01/22/intel_spectre_fix_linux/[/url<] states... "Rather than preventing abuse of processor branch prediction by disabling the capability and incurring a performance hit, Chipzilla's future chips โ€“ at least for a few years until microarchitecture changes can be implemented โ€“ will ship vulnerable by default but will include a protection flag that can be set by software." So we have people on here that must know more than Linus Torvalds with the down voters on here... [url<]https://lkml.org/lkml/2018/1/21/192[/url<]

          • tay
          • 2 years ago

          Haha Linus, never change!

          • Anonymous Coward
          • 2 years ago

          Few people combine knowledge, intelligence and the will to speak like Linus. Also it helps that it would take him dunno 15 minutes to gain new employment if he got in trouble with someone who pays the bills.

    • the
    • 2 years ago

    Hardened against Meltdown is feasible as there are already plenty of CPUs out there that are seemingly immune to it but Spectre is going to the be tough one to conquer.

    One of these chips should be Cascade Lake as it would be crazy to launch a new server chip with that vulnerability in tact. Whisky Lake is the big variable in my mind as that snuck into Intel’s road map in the fall.

    Ice Lake is still looking to be a 2019 part so if they’re able to get Cascade Lake out these year with the fixes, then I would fathom Ice Lake has them as well.

      • Anonymous Coward
      • 2 years ago

      So, how about going back to in-order and many-threads for enterprise hardware? They must be able to get the throughput they need for a big slice of server workloads. If OoO can no longer be trusted, with expectations of new exploits, I don’t see a secure alternative.

    • MadManOriginal
    • 2 years ago

    So are we going to see a TR article of before and after the patch? The theoretical worst-case -30% scenarios aren’t very realistic, and certainly not for desktop single-user scenarios afaik.

      • Voldenuit
      • 2 years ago

      Bapco Sysmark System Responsiveness Test: [url=https://www.pcworld.com/article/3250645/laptop-computers/how-meltdown-and-spectre-patches-drag-down-older-hardware.html<]23% hit on Broadwell[/url<]. Photoshop Blur Filter: [url=https://www.techspot.com/article/1563-laptop-performance-meltdown-and-spectre/page2.html<]19% slower on Broadwell[/url<]. MATLAB Simulation workload: [url=https://www.techspot.com/article/1563-laptop-performance-meltdown-and-spectre/page2.html<]15% slower on Broadwell[/url<]. There are a lot of workloads where performance impact is minimal or negligible, but when it hurts, it can hurt.

        • Gadoran
        • 2 years ago

        Skylake users looks very happy apparently.

    • Glorious
    • 2 years ago

    My problem here is that they claimed the firmware patches (which they already withdrew) made previous chips “immune”.

    Of course, they didn’t do that, and as of right now, new ones without spontaneous reboots aren’t available anyway.

    I am dubious, to say the least (echoing DPete27)?

      • Gadoran
      • 2 years ago

      Not that AMD is in a better situation, they not even have a real solution to one Spectre vulnerability, they are working on but nothing out yet.

        • just brew it!
        • 2 years ago

        Mitigating Spectre properly on existing CPUs also requires patches to compilers and web browsers. These things are not under Intel’s or AMD’s control.

    • DPete27
    • 2 years ago

    Given their “unsuccessful” attempts at producing a decent software/firmware patch, I’m hesitant to trust them to make unflawed changes in silicon in such short time.

      • dragosmp
      • 2 years ago

      They knew this for 7 months.

      Intel is more capable to build good hardware than good software. Just look at the state of their graphics drivers.

      If they release something in June, they would have had 1 year to do a silicon spin and page the TLB or something. More than doable.

    • MadManOriginal
    • 2 years ago

    Just FYI for people as a followup to a previous question I had – Coffee Lake was confirmed to be affected by reboot bugs in the initial microcode updates.

    • notfred
    • 2 years ago

    [quote<]Whether those fixes will extend to any of the oldest affected systems remains to be seenโ€”I'm still waiting on firmware updates for some of the most recent systems in the TR labs as it standsโ€”but we can hope.[/quote<] So I guess I'm out of luck in terms of a microcode update for my Core 2 Quad 6600?

      • DancinJack
      • 2 years ago

      Almost assuredly.

      • Smeghead
      • 2 years ago

      That depends.

      If you look at the download page for Intel’s Linux microcode updates, the applicable product list is enormous, spanning hundreds of CPUs all the way back to the Pentium Pro:

      [url<]https://downloadcenter.intel.com/download/27337/Linux-Processor-Microcode-Data-File?product=873[/url<] I don't know how far back Intel have patched for Meltdown, but your Q6600 is on the list, and under Linux (and windows - more in a sec), can have its microcode patched without touching the BIOS. Linux's microcode update feature is quite interesting, and in many ways, blows my tiny little mind. Instead of requiring a BIOS update, the kernel can take microcode from files and apply the updates to a running system. That really bakes my noodle: you can update the microcode on a running system without taking the system down. Anyway, this is all non-volatile. When the system is rebooted, the CPU goes back to whatever's baked in to the BIOS, or failing that, the hardcoded version in the CPU itself. The kernel applies the update each time it boots. It's quite a nice system, as you don't have to hunt around for BIOS updates for a bunch of different machines and flash them all - you can do this regardless of motherboard manufacturer, etc. What's come in doubly useful in this case is that, in the case of updated microcode being bad, the microcode in the files can be tossed, the system rebooted, and things are back to the way they were previously. Windows (as of Win7) has a similar mechanism; microcode is delivered via windows update, and the kernel applies the microcode on each boot. For example: [url<]https://support.microsoft.com/en-us/help/3064209/june-2015-intel-cpu-microcode-update-for-windows[/url<] However, to date, Microsoft has refused to provide microcode updates for Meltdown via this mechanism; they were claiming stability problems with the microcode in place, and in hindsight, it looks like they were right. Once Intel gets their shit together, Microsoft will likely supply the fixed microcode via windows update, and your Q6600 will get its update that way. However, if MS decides to stick to their guns and not provide an update, then there are options. For example (I haven't personally tried this), VMware has a thingy for Windows that can take the Linux microcode and apply it. The driver is apparently signed by VMware, so it plays nice on modern systems. However, there are some comments that it no longer works as of build 17074, so it might not be usable: [url<]https://labs.vmware.com/flings/vmware-cpu-microcode-update-driver[/url<] Personally, if MS doesn't end up providing an update, then I'll be looking at this sort of thing; my Windows machine at home is a 4770K, so there's no way that'll ever get a BIOS update.

        • Glorious
        • 2 years ago

        I don’t know what the ubuntu maintainers know, but before they reverted (new package version, but the pre-2018-01-08 firmware drop, hilariously named “+really20170707” LOL) the intel-microcode package, haswell got it, but ivy-bridge didn’t.

        Without looking any deeper, that directly accords with what people were claiming even before the original 20180108 package dropped: “Ivy-bridge and older get nothing”

          • Ninjitsu
          • 2 years ago

          Ivy Town did, Bridge didn’t.

        • notfred
        • 2 years ago

        Thanks but I was joking ๐Ÿ™‚

        More seriously though, I’m running Linux on it and it has an up to date kernel so it is at least mitigated against Meltdown.

        If you are interested in the microcode update mechanism see [url<]http://inertiawar.com/microcode/[/url<] Basically the OS loads the appropriate binary blob (based on CPUID) in to memory and then tells the processor where to get it from (writes the address to a Model Specific Register). The processor actually pauses all the operations when it is loading the microcode and then runs with the new microcode.

      • Peter.Parker
      • 2 years ago

      Didn’t Intel send you a copy on floppy disk in the mail?

        • chuckula
        • 2 years ago

        Oh please, Intel is WAY more advanced than that in 2018.

        They have an 800 number for their BBS and I hear you can even use 28K download speeds.

          • Voldenuit
          • 2 years ago

          I hear their geocities page has flashing fonts and references to the “realultimatepower” of intel CPUs.

            • UberGerbil
            • 2 years ago

            [url<]http://www.somethingawful.com/hosted/jeffk/[/url<]

            • K-L-Waster
            • 2 years ago

            … plus a link to zombo.com

          • Ummagumma
          • 2 years ago

          Oh please, Intel is WAY more advanced than that in 2018.

          They have an 800 number for their BS and I hear you can even use 28K download speeds.

          TFTFY

    • chuckula
    • 2 years ago

    [quote<]Krzanich says that the company "is working to incorporate silicon-based changes to future products that will directly address the Spectre and Meltdown threats in hardware," and he promises that the first products with those mitigations "will begin appearing later this year."[/quote<] Here's the official plan leaked to the press for the first time ever: 1. Wait for RyZen+ to launch. 2. Buy them all up. 3. Rebadge & markup by 50%. 4. THERE IS NO STEP FOUR!

      • Mr Bill
      • 2 years ago

      Have an upthumb for making me laugh.

    • DancinJack
    • 2 years ago

    Soooooooo I guess this is Cascade Lake? Almost has to be.

    If they really get these out, in quantity, this year I’ll be fairly impressed. Even if you consider they found out about this in June/July 2017, that’s still a pretty decent turnaround for hardware changes to make it into a commercial product in <=18 months.

      • chuckula
      • 2 years ago

      I think we may have at least a part of the reason for why 10nm has been delayed from late 2017 (after Intel would have had an idea about these bugs) even farther into 2018. They are going back to put in fixes on 10nm before the products launch.

        • tay
        • 2 years ago

        Your theory is awfully generous to intel.

Pin It on Pinterest

Share This