Intel's Brian Krzanich announced today in a blog post that the company has made Spectre and Meltdown patches available for every processor it has launched in the last five years. The company also announced that it has new in-silicon mitigations, meaning security fixes baked directly into the processor, ready for the next round of Xeon Scalable processors, code named Cascade Lake, as well as 8th Generation Intel Core processors that should ship in the second half of 2018.
It may seem like an eternity, but it was only 73 days ago that the Meltdown and Spectre bugs threw the computing industry into chaos. After the initial fog surrounding the discovery dissipated, we learned that industry leaders had already been working feverishly behind the scenes for 200 days to patch systems against what could be the most widespread vulnerability of our time. Even with the continual extensions to the NDA period, the industry still struggled to patch the vulnerabilities because they attack some of the fundamental underpinnings of modern operating systems and processor microarchitectures. Intel and other industry stalwarts pledged to continue to refine and extend the patches further, but there were no firm guarantees for when we could say that all computers would be patched against the vulnerabilities.
And we still can’t. The industry is moving along, though. Intel, easily the most visibly affected company, announced today that it had reached its commitment to provide a microcode patch for all the processors it launched within the last five years.
Coffee Lake, Kaby Lake, Skylake, Broadwell, And Haswell Patches Available
Intel has made the patches available for all processors based on the Coffee Lake, Kaby Lake, Skylake, Broadwell, and Haswell microarchitectures. These patches consist of both software patches for operating systems (such as Windows and Linux) to protect against Variant 1 and 3, along with processor microcode to address Variant 2.
Intel has delivered the new microcode to all system vendors, but there could be a staggered rollout as OEMs issue BIOS updates. Unlike the first round of emergency patches, Intel and OEMs have conducted extended reliability testing, so we shouldn't see a repeat of the earlier missteps.
Unfortunately, although the patches are available, some older systems may never be patched by the respective OEMs. Intel's new dedicated security website has a list of system vendors and links to additional resources for each. Microsoft has also stepped forward to wrap patches up in manually-downloadable Windows Update packages, but support varies and several caveats apply. We hope Microsoft expands this technique to a wider range of systems, as it will help speed the delivery process and also assures that older systems could actually receive the patches that Intel has made available.
In-Silicon Fixes For Meltdown And Spectre Baked Into New 8th Generation Processors
Intel says that the company redesigned parts of the processor and partitioned off sections to protect against Variants 2 and 3. Currently, Variant 3, otherwise known as Meltdown, requires a software patch that resides in the operating system. This patch has minimal performance overhead, but it is possible that the hardware alterations reduce it further, or eliminate it entirely.
Spectre Variant 2 currently requires both a software and microcode patch, and it confers the highest performance overhead. Again, we expect the new in-silicon mitigations to reduce the impact on performance.
Intel isn't providing technical details of the new hardware-based fixes yet, so we don't know if they are just an extension of the PCID (Post-Context Identifiers) feature in post-Broadwell systems. That feature helps the operating system navigate an extra layer of memory address abstraction.
Intel still hasn't defined the timeline for patching processors beyond the five-year-old window. Given the steady update cadence of the company's processor lineup, the five-year patching window should cover a good portion of active desktop systems. More important for Intel, it should cover an even higher percentage of active Xeon servers, which are refreshed on a much more predictable cadence in the data center. Intel is pushing deeper into the data center with each passing year, so keeping its customers happy is essential, especially as AMD's EPYC continues to enjoy more uptake.
AMD has not entirely patched its ecosystem yet: we haven't seen any signs of microcode updates to address Spectre on the desktop. AMD has unfortunately been in the news lately due to a new set of alleged vulnerabilities that can be exposed by second-level attacks, but we still aren't sure of the impact. Of course, some will think that Intel is capitalizing on AMD's recent bad news by announcing its new achievements, but Intel has communicated its intentions to patch all of its recent processors since the early days of the vulnerability disclosures. The company has reached its milestone and is ready to share the news; take it as you will.
Intel's new hardware mitigations sound promising, but we have no details yet. Intel says the in-silicon fixes will apply to 8th Generation processors, but the 8th-gen lineup also encompasses 14nm+ Kaby Lake-R (refresh), all 14nm++ Coffee Lake models, and the forthcoming 10nm Cannon Lake processors. Intel hasn't specified which new processors will have the fixes, or if it can apply the fixes to newer versions of the existing 8th Generation models.
ASRock recently listed compatibility with several new Coffee Lake processors, but these new models move from a B0 to a U0 stepping. We aren't sure if the in-silicon fixes required a significant-enough retooling of the microarchitecture that would necessitate more than a mere stepping to address, but it is a nice thought. We're eager to learn more about the mitigations, and also if Intel has any plans to fix its older processors.