Intel's disclosures during its Whiskey Lake launch yesterday left out one very important fact: The Whiskey Lake processors are the first chips for consumers to feature in-silicon fixes for the Meltdown and Foreshadow vulnerabilities. Word surfaced earlier today from industry analyst Ashraf Eassa that Intel's new chips might support the new mitigations, and we followed up with Intel for confirmation.
Intel representatives confirmed that Whiskey Lake chips bring the first in-silicon mitigations to the consumer market, but the Amber Lake processors do not have the mitigations. The current Spectre and Meltdown mitigations, which Intel delivers via software and microcode patches, can reduce performance by up to 10% (based on workload) on newer hardware, with older hardware suffering even larger losses. The new mitigations, which are baked directly into the silicon, should reduce or even eliminate the performance impact.
|Vulnerability||Whiskey Lake Mitigation||Cascade Lake Mitigation|
|Variant 1 (Spectre)||Operating System||Operating System/VMM|
|Variant 2 (Spectre)||Microcode + Operating System||In-Silicon + Operating System/VMM|
|Variant 3 (Meltdown)||In-Silicon||In-Silicon|
|Variant 3a||Microcode + Operating System||Firmware|
|Variant 4||Microcode + Operating System||Microcode + Operating System/VMM|
The first wave of hardware-based fixes are limited, but Intel tells us that the in-silicon fixes will expand over time. Whiskey Lake processors will still need a combination of microcode and operating system patches for most variants, but now the Meltdown and L1TF Foreshadow are patched fully in hardware.
The Cascade Lake data center processors marked the introduction of in-silicon patches, but those chips have a different set of protections than the consumer processors. For instance, Cascade Lake has in-silicon protection against Spectre V2, whereas the Whiskey Lake processors do not. Intel representatives indicate that over time those Spectre V2 protections will also come to consumer chips. The limited scope of the in-silicon patches reminds us that Intel, like the many other companies impacted by these vulnerabilities, is still in the early stages of addressing the issues.
Regardless, the new in-silicon mitigations may help to address future vulnerabilities, as new variants based on the same techniques used in Spectre and Meltdown continue to pop up on a regular basis. Intel isn't detailing the exact nature of the changes to the microarchitecture, and likely for a good reason. Like the rest of the industry, Intel is playing a cat-and-mouse game with security researchers and malicious actors that range from nation-states to garden-variety hackers, so it wouldn't be wise to share too much information about the fixes.
We expect that Intel's other new processors, like the much-anticipated 9000-series models, will also have in-silicon mitigations, but we're awaiting confirmation.
Assuming they fix the flaws properly and don't just band aid them, which I suspect is exactly what Intel will do - it's cheaper and faster than a proper fix.
I'm using X299 and Z370 chipsets and I can say for sure my performance hit in the applications I tested is more than 10%. After paying almost $2000 for a delidded 7900x (AUD), I'm not impressed!
I'm sure that they are also worried about fixing known issues and inadvertently creating others.
People die in car crashes (most often caused by malevolent actors breaking laws), the builder installs seat belts (and provides it free to the customer), the customer complains that it now takes longer to get in the car and it put a wrinkle in their dress.
Have any attacks using the Spectre / Meltdown weaknesses ever occurred in the real world ?
They are at this weird phase where its damned if you do, damned if you don't.
Errata and potential exploit exist. I mean computer code and hardware is incredibly complex. Do the security researchers wait and fix when the exploits cause real life impact, or do they proactively go about finding and fixing them? They often offer bounties so people can purposely look for exploits and bugs. However, if such bugs normally would have never been exploited, are they not doing more damage by doing so?
There's a saying in programming fixing one bug will create 99 different ones. That may be a bit extreme, and obviously said as a joke. But maybe not so far from reality.
Not that they know of, at least until the security researches released the code that made it so simple a script kiddie could pull off an attack.
It's such a strange situation, in ways. The security researchers almost look like the bad guys because they go about unearthing stuff that may have never been discovered and used. But then they share the code as a means to force vendors to patch stuff.
But, who can say these attacks weren't used in the past. What if a state actor, like China, had used this attack for a decade and no one knew? The crux of the issue is that the attacks are virtually undetectable, so we can't say they haven't been used. Or, perhaps they were being used, were discovered, and then some three-letter agency tipped off the security researchers so as not to expose a threat to national security. Stranger things have happened, for sure.
AnandTech says that neither Spectre nor Meltdown have been fixed in hardware in either Whiskey Lake nor Amber Lake, as per this paragraph at https://www.anandtech.com/show/13275/intel-launches-whiskey-lake-amber-lake
"During Intel’s briefing, a lot of noise was made about some of the features: 2x overall performance, 12x better WiFi, 10.5x transcoding. These seem like impressive numbers, until you realise that Intel is comparing the new parts to five year old machines (e.g. Haswell-U), and none of these performance figures factor in the Spectre and Meltdown updates (the new chips are not protected in hardware, for those wondering). Does anyone remember two years ago when Intel was comparing its latest platform against three year old machines?"
I've posted something similar in their comments section, hopefully somebody can clarify this point.
As stated in this article, Intel did not share this information at launch. However, Intel confirmed this to us directly, today. This is new information.
I'm sure Ian will update his article as time permits.
It can probe the CPU to validate. The OS will take a backseat and abstain from implementing mitigation if it detects the CPU isn't vulnerable.
CPU microcode is distributed one of two ways. Either rolled into a BIOS update, or pushed up as a Windows Update. In fact, this month MS just released Intel provided Microcode in this months update KB4100347. You can can review the full list below. To obtain them, you just have to install Windows Updates as normal. No special action needs to be taken by you. And depending how old your system is, the microcode loaded by the OS could very well be newer than the version provided in BIOS, so the newest will supersede it