Intel's disclosures during its Whiskey Lake launch yesterday left out one very important fact: The Whiskey Lake processors are the first chips for consumers to feature in-silicon fixes for the Meltdown and Foreshadow vulnerabilities. Word surfaced earlier today from industry analyst Ashraf Eassa that Intel's new chips might support the new mitigations, and we followed up with Intel for confirmation.
Intel representatives confirmed that Whiskey Lake chips bring the first in-silicon mitigations to the consumer market, but the Amber Lake processors do not have the mitigations. The current Spectre and Meltdown mitigations, which Intel delivers via software and microcode patches, can reduce performance by up to 10% (based on workload) on newer hardware, with older hardware suffering even larger losses. The new mitigations, which are baked directly into the silicon, should reduce or even eliminate the performance impact.
|Vulnerability||Whiskey Lake Mitigation||Cascade Lake Mitigation|
|Variant 1 (Spectre)||Operating System||Operating System/VMM|
|Variant 2 (Spectre)||Microcode + Operating System||In-Silicon + Operating System/VMM|
|Variant 3 (Meltdown)||In-Silicon||In-Silicon|
|Variant 3a||Microcode + Operating System||Firmware|
|Variant 4||Microcode + Operating System||Microcode + Operating System/VMM|
The first wave of hardware-based fixes are limited, but Intel tells us that the in-silicon fixes will expand over time. Whiskey Lake processors will still need a combination of microcode and operating system patches for most variants, but now the Meltdown and L1TF Foreshadow are patched fully in hardware.
The Cascade Lake data center processors marked the introduction of in-silicon patches, but those chips have a different set of protections than the consumer processors. For instance, Cascade Lake has in-silicon protection against Spectre V2, whereas the Whiskey Lake processors do not. Intel representatives indicate that over time those Spectre V2 protections will also come to consumer chips. The limited scope of the in-silicon patches reminds us that Intel, like the many other companies impacted by these vulnerabilities, is still in the early stages of addressing the issues.
Regardless, the new in-silicon mitigations may help to address future vulnerabilities, as new variants based on the same techniques used in Spectre and Meltdown continue to pop up on a regular basis. Intel isn't detailing the exact nature of the changes to the microarchitecture, and likely for a good reason. Like the rest of the industry, Intel is playing a cat-and-mouse game with security researchers and malicious actors that range from nation-states to garden-variety hackers, so it wouldn't be wise to share too much information about the fixes.
We expect that Intel's other new processors, like the much-anticipated 9000-series models, will also have in-silicon mitigations, but we're awaiting confirmation.