Skip to main content

Intel Patches All Recent CPUs, Promises Hardware Fixes For Upcoming 8th Gen Chips

Intel's Brian Krzanich announced today in a blog post that the company has made Spectre and Meltdown patches available for every processor it has launched in the last five years. The company also announced that it has new in-silicon mitigations, meaning security fixes baked directly into the processor, ready for the next round of Xeon Scalable processors, code named Cascade Lake, as well as 8th Generation Intel Core processors that should ship in the second half of 2018.

It may seem like an eternity, but it was only 73 days ago that the Meltdown and Spectre bugs threw the computing industry into chaos. After the initial fog surrounding the discovery dissipated, we learned that industry leaders had already been working feverishly behind the scenes for 200 days to patch systems against what could be the most widespread vulnerability of our time. Even with the continual extensions to the NDA period, the industry still struggled to patch the vulnerabilities because they attack some of the fundamental underpinnings of modern operating systems and processor microarchitectures. Intel and other industry stalwarts pledged to continue to refine and extend the patches further, but there were no firm guarantees for when we could say that all computers would be patched against the vulnerabilities.

And we still can’t. The industry is moving along, though. Intel, easily the most visibly affected company, announced today that it had reached its commitment to provide a microcode patch for all the processors it launched within the last five years.

Coffee Lake, Kaby Lake, Skylake, Broadwell, And Haswell Patches Available

Intel has made the patches available for all processors based on the Coffee Lake, Kaby Lake, Skylake, Broadwell, and Haswell microarchitectures. These patches consist of both software patches for operating systems (such as Windows and Linux) to protect against Variant 1 and 3, along with processor microcode to address Variant 2.

Intel has delivered the new microcode to all system vendors, but there could be a staggered rollout as OEMs issue BIOS updates. Unlike the first round of emergency patches, Intel and OEMs have conducted extended reliability testing, so we shouldn't see a repeat of the earlier missteps.

Unfortunately, although the patches are available, some older systems may never be patched by the respective OEMs. Intel's new dedicated security website has a list of system vendors and links to additional resources for each. Microsoft has also stepped forward to wrap patches up in manually-downloadable Windows Update packages, but support varies and several caveats apply. We hope Microsoft expands this technique to a wider range of systems, as it will help speed the delivery process and also assures that older systems could actually receive the patches that Intel has made available.

In-Silicon Fixes For Meltdown And Spectre Baked Into New 8th Generation Processors

Intel says that the company redesigned parts of the processor and partitioned off sections to protect against Variants 2 and 3. Currently, Variant 3, otherwise known as Meltdown, requires a software patch that resides in the operating system. This patch has minimal performance overhead, but it is possible that the hardware alterations reduce it further, or eliminate it entirely.

Spectre Variant 2 currently requires both a software and microcode patch, and it confers the highest performance overhead. Again, we expect the new in-silicon mitigations to reduce the impact on performance.

Intel isn't providing technical details of the new hardware-based fixes yet, so we don't know if they are just an extension of the PCID (Post-Context Identifiers) feature in post-Broadwell systems. That feature helps the operating system navigate an extra layer of memory address abstraction.

Thoughts

Intel still hasn't defined the timeline for patching processors beyond the five-year-old window. Given the steady update cadence of the company's processor lineup, the five-year patching window should cover a good portion of active desktop systems. More important for Intel, it should cover an even higher percentage of active Xeon servers, which are refreshed on a much more predictable cadence in the data center. Intel is pushing deeper into the data center with each passing year, so keeping its customers happy is essential, especially as AMD's EPYC continues to enjoy more uptake.

AMD has not entirely patched its ecosystem yet: we haven't seen any signs of microcode updates to address Spectre on the desktop. AMD has unfortunately been in the news lately due to a new set of alleged vulnerabilities that can be exposed by second-level attacks, but we still aren't sure of the impact. Of course, some will think that Intel is capitalizing on AMD's recent bad news by announcing its new achievements, but Intel has communicated its intentions to patch all of its recent processors since the early days of the vulnerability disclosures. The company has reached its milestone and is ready to share the news; take it as you will.

Intel's new hardware mitigations sound promising, but we have no details yet. Intel says the in-silicon fixes will apply to 8th Generation processors, but the 8th-gen lineup also encompasses 14nm+ Kaby Lake-R (refresh), all 14nm++ Coffee Lake models, and the forthcoming 10nm Cannon Lake processors. Intel hasn't specified which new processors will have the fixes, or if it can apply the fixes to newer versions of the existing 8th Generation models.

ASRock recently listed compatibility with several new Coffee Lake processors, but these new models move from a B0 to a U0 stepping. We aren't sure if the in-silicon fixes required a significant-enough retooling of the microarchitecture that would necessitate more than a mere stepping to address, but it is a nice thought. We're eager to learn more about the mitigations, and also if Intel has any plans to fix its older processors. 

  • madmatt30
    You've touched on it in the report Paul, but I do have to reiterate - it's a suspiciously well timed release given the very recent cts-labs/amdflaws fiasco !
    Reply
  • Blinken
    With all the press hubbub surrounding this, other than hoping MS includes patches covering my CPU, WHERE DO I GET THE PATCHES?
    If I have a couple PC's I built, with say a Skylake i7 with ASUS motherboard do I just hope ASUS issues a BIOS update? What about older PC's, a Haswell i7 or even Bloomfield Xeon's, do we just hope no one points malware at these systems?
    Reply
  • derekullo
    20795726 said:
    You've touched on it in the report Paul, but I do have to reiterate - it's a suspiciously well timed release given the very recent cts-labs/amdflaws fiasco !

    Good news or bad news, Intel still gets blasted.

    They just can't win(tel).

    Reply
  • Glock24
    I updated my Haswell and Ivy Bridge Linux boxes yesterday. Microcode updates for Linux were available publicly yesterday.
    Reply
  • richardvday
    Intel has done a lot of bad stuff so if they sometimes get the blame where you think they don't deserve it well they only have themselves to blame. There is probably something we don't know about that they DO deserve it for anyway.
    Whether its illegal or just unethical is moot.
    Reply
  • Giroro
    I have an ASRock Mobo in my Haswell system. It looks like the most recent drivers and BIOS updates are from 2014. I have a feeling I'll never get this patch.

    Unless I'm misunderstanding how the fixes are supposed to be distributed. Intel bragging that they made patch isn't very helpful unless these updates are actually made available to users with older systems.
    Reply
  • LORD_ORION
    Intel has specifically stated my Ivy Bridge mobo will not receive a bios patch. :\
    Reply
  • The Paladin
    yep my ASUS z87 gryphon still has not update out for it.... dates 2014/09/12I emailed ASUS, and got a canned reply to not worry they will provide updates asap...lol I think I will just skip worrying about it.

    And from Intel's web site: https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html

    The Asus list doesn't even come close to covering Haswell CPUs lol
    https://www.asus.com/News/V5urzYAT6myCC1o2
    Reply
  • alextheblue
    "We hope Microsoft expands this technique to a wider range of systems, as it will help speed the delivery process and also assures that older systems could actually receive the patches that Intel has made available."

    They've already started to expand availability and you can get the patches from MS. But last I heard they won't be rolling these into Windows Update for a while. Next major release, probably. They're being cautious after the instability fiasco with Intel's initial microcode updates, and I don't blame them.

    https://support.microsoft.com/en-us/help/4090007/intel-microcode-updates

    Bookmark that KB. It states that MS will add microcode for older architectures as they become available (after testing I assume) from Intel.
    Reply
  • alan_rave
    Good news)
    Reply