Intel has microcode updates for modern CPUs and fixed silicon for late 2018

Back in January, Intel's CEO Brian Krzanich wrote an open letter promising speedy Spectre and Meltdown patches. He later on remarked that the company's first products to "address the Spectre and Meltdown threats in hardware" would show up this year. Today, Krzanich authored a blog post that says the company has microcode updates ready for all of its products released in the past five years, and that CPUs with "hardware-based protection" for the security flaws will launch toward the end of 2018.

Those microcode updates include every one of the company's processors back to the launch of the Haswell family in 2013. It's worth noting that Intel's also cooking up microcode updates for CPUs as old as 2007's Conroe series. Unfortunately, not every system may have Intel's updated microcode available as a firmware update. Intel has a whole site dedicated to helping users deal with Meltdown and Spectre, and down the page a bit there's a list of manufacturers with links to their own pages about the flaws.

The upcoming chips with hardware-based protection against Meltdown and Spectre include the next generation of Xeon Scalable processors (code-named Cascade Lake) as well as another run of eighth-generation Core CPUs. In the blog post, Krzanich tacitly admits that the Spectre Variant 1 vulnerability won't be fixed by updated hardware and will "continue to be addressed via software mitigations." That's not really a surprise given the nature of the flaw, as it exploits fundamental concepts in modern microprocessor design. Intel doesn't say exactly what it's done to help mitigate Meltdown and Spectre in the upcoming CPUs, but Krzanich notes that the company "redesigned parts of the processor to introduce new levels of protection through partitioning."

Between the Spectre and Meltdown multi-vendor vulnerabilities and the claimed security issues in AMD's chipsets, it's reasonable to say that 2018's shaping up to be an interesting year indeed.

Comments closed
    • Kougar
    • 2 years ago

    For all this talk of Haswell I’ve yet to see a single ASUS Z97 board receive a BIOS update.

    • maroon1
    • 2 years ago

    So, as long as I avoid this firmware update, there will be no performance impact on my haswell CPU ?!

    Do I need also to avoid updates on windows 10 ?! I stopped updating my OS since January because was afraid to get this fix for meltdown. It is safe to enable updates again ?!

    For last 6 years, my PC never got any virus at all. I don’t care about these fixes. As long you avoid using USB flash from people you don’t know or downloading stuff and running stuff from unknown source, your PC will almost never get infected. The meltdown fix will do more harm for me than good

      • Vaughn
      • 2 years ago

      lol for any of the kids reading don’t do this ^^^^^^

      • arunphilip
      • 2 years ago

      [quote<]For last 6 years, my PC never got any virus at all. I don't care about these fixes. As long you avoid using USB flash from people you don't know or downloading stuff and running stuff from unknown source, your PC will almost never get infected. The meltdown fix will do more harm for me than good[/quote<] Since you clearly have a better handle on security than most of us do, I don't think we're really qualified to help you with your questions below: [quote<]So, as long as I avoid this firmware update, there will be no performance impact on my haswell CPU ?! Do I need also to avoid updates on windows 10 ?! I stopped updating my OS since January because was afraid to get this fix for meltdown. It is safe to enable updates again ?![/quote<]

      • Klimax
      • 2 years ago

      You ain’t getting more secure by ignoring security updates…

      • jihadjoe
      • 2 years ago

      Do you also forgo seeing the doctor/dentist and just hope you don’t die/your teeth don’t fall off?

        • conjurer
        • 2 years ago

        Well if you use your computer only for gaming why not? If you pirate games, you have absolutely nothing to lose, and if you have steam account, they have e-mail confirmations for logins, so as long as your email is accessed in other device you are safe even if you are hacked.
        That’s why i still use steam on 6.1 windows, without updates. What can go wrong?

        And yes, i go to doctor only when i feel sick. And i reinstall windows when it feels sick. Both rarely happens.

      • TheRazorsEdge
      • 2 years ago

      I work in information security. My job exists because you are wrong.

      [quote<]As long you avoid using USB flash from people you don't know or downloading stuff and running stuff from unknown source, your PC will almost never get infected.[/quote<] Then why does every browser have arbitrary code patches multiple times per year? And every operating system? What happens if your downloaded files actually came from an unknown source because the web site you trust was compromised? Competent malware does not advertise its presence. Only the bottom-tier garbage has a noticeable impact on system performance. You are not clean just because you don't see a problem right now.

        • conjurer
        • 2 years ago

        [quote<]Competent malware does not advertise its presence. Only the bottom-tier garbage has a noticeable impact on system performance. You are not clean just because you don't see a problem right now.[/quote<] So if you are using your system only for games, and get competent malware, you can get more out of your cpu than from patched cpu without malware? Part of my last work was information security, and i just don't use [url=https://imgflip.com/i/26mhnu<]windows[/url<] for anything except games and movies.

    • flptrnkng
    • 2 years ago

    Have they patched the Asmedia exploits yet?

      • chuckula
      • 2 years ago

      They’ll get right on that after they fix the Spectre exploits in RyZen!

    • DPete27
    • 2 years ago

    Lemme get this straight. All Spectre/Meltdown patches have been OS/software based so far. When microcode updates are available, do you suppose that update will automatically remove the OS patch, or are we going to be double penalized?

      • chuckula
      • 2 years ago

      Meltdown is not patched via microcode and never will be. The newer CPUs starting to come out later this year will fix Meltdown in hardware although the KPTI infrastructure (and Windows/OS X equivalents) that fixes Meltdown will likely remain as an option since it does more than just fix Meltdown.

      Spectre V1 is still going to require software fixes for the foreseeable future and since Spectre V1 affects basically everybody, that’s probably a good thing since you’d need firmware updates from more than just Intel.

      Spectre V2 is apparently being fixed in hardware for new products, although some microcode may be involved too.

        • Mr Bill
        • 2 years ago

        So, hello CTS Labs! Its raining microcode if you have admin privileges!

        • TheRazorsEdge
        • 2 years ago

        While I usually groan internally upon seeing chuckula’s name, I don’t understand why this has a negative rating. He is correct.

        When CPUs arrive with Meltdown fixed in hardware, the OS can run in its performance-optimal state again. You only need KPTI (and its associated performance hit) on machines that are vulnerable to Meltdown.

        Spectre is address via a combination of microcode updates and software patches. The microcode updates are created by the CPU or motherboard manufacturer, but they may be distributed by Microsoft if they are certified by Microsoft. Some people may believe Spectre is a software-only fix, but that is not accurate.

      • jihadjoe
      • 2 years ago

      IIRC the OS-level mitigation can and should disable itself if the hardware isn’t vulnerable anymore.

      • bhtooefr
      • 2 years ago

      So, there’s two different ways to mitigate Spectre variant 2.

      The first is retpolines, the second is IBRS.

      IBRS is the microcode fix, and requires OS-level support. (Also, Skylake architecture chips need IBRS to have an effective mitigation.)

      My guess is that the fixed silicon may well have IBRS implemented in hardware rather than microcode, especially given how Intel’s implemented IBRS flags.

    • pirate_panda
    • 2 years ago

    Yeah, I’m not really looking forward to the “fixes” for my Ivy Bridge system. It’s serving me well for the moment but I’m worried that the performance will noticeably suffer. And right now is a very bad time to build a new PC because of GPU and RAM prices.

      • Concupiscence
      • 2 years ago

      Depending on what you’re doing the performance impact could be negligible. Gaming, there won’t be much change. Wailing on non-sequential I/O or doing that in tandem with virtualization, probably worst-case scenario. Other work will probably be between those two poles. Don’t give in to despair just yet.

      • Krogoth
      • 2 years ago

      They aren’t really necessary for non-mission critical, SMB and enterprise systems.

      The performance hits are mainly in professional-tier workloads or moving tons of data around (not gaming/mainstream workloads)

    • willmore
    • 2 years ago

    Osbourne effect?

      • chuckula
      • 2 years ago

      Not really. We were all waiting for RyZen II: Electrical Boogaloo anyway.

        • Neutronbeam
        • 2 years ago

        Okay, I give you a hard time sometimes, but that reference was just outstanding; well done!

    • chuckula
    • 2 years ago

    Looking forward to more hardware fixes that will mute any performance penalties going forward, although Spectre & Meltdown are probably not the last time we’ll hear about side channel attacks.

    Its also nice to see that practically all systems going back to at least 2008 are getting microcode updates to help with Spectre as well.

      • Topinio
      • 2 years ago

      This is the lifespan of systems still in support, pretty much.

      The lowest-end Macs that run a supported OS version are Harpertown machines, NetApp has Wolfdales out there and Sun^H^H^HOracle has Harpertown, both these and others have already sold the support contract renewals to end customers…

      No choice for Intel, really.

      • Oem
      • 2 years ago

      ‘mute’ == ‘moot’, probably

        • Mr Bill
        • 2 years ago

        But “mute” more funny and perhaps more fitting. As in turn down the volume of performance ouch.

        • derFunkenstein
        • 2 years ago

        moot means irrelevant. mute means to silence (reduce the impact, in this case).

        but my favorite one is moo. it’s like a cow’s opinion. it’s moo. /friends reference

      • Krogoth
      • 2 years ago

      A hardware fix will not mute performance penalty from fixing Spectre flaw though it will lessen it though. The flaw happened in the first place because it was from a shortcut in speculative execution used to increase CPU performance.

Pin It on Pinterest

Share This