Intel's Whiskey Lake Brings In-Silicon Meltdown and Foreshadow Fixes

Intel's disclosures during its Whiskey Lake launch yesterday left out one very important fact: The Whiskey Lake processors are the first chips for consumers to feature in-silicon fixes for the Meltdown and Foreshadow vulnerabilities. Word surfaced earlier today from industry analyst Ashraf Eassa that Intel's new chips might support the new mitigations, and we followed up with Intel for confirmation.

Intel representatives confirmed that Whiskey Lake chips bring the first in-silicon mitigations to the consumer market, but the Amber Lake processors do not have the mitigations. The current Spectre and Meltdown mitigations, which Intel delivers via software and microcode patches, can reduce performance by up to 10% (based on workload) on newer hardware, with older hardware suffering even larger losses. The new mitigations, which are baked directly into the silicon, should reduce or even eliminate the performance impact.

Whiskey Lake Mitigation
Cascade Lake Mitigation
Variant 1 (Spectre)
Operating System
Operating System/VMM
Variant 2 (Spectre)
Microcode + Operating System
In-Silicon + Operating System/VMM
Variant 3 (Meltdown)
Variant 3a
Microcode + Operating System
Variant 4
Microcode + Operating System
Microcode + Operating System/VMM
L1TF (Foreshadow)

The first wave of hardware-based fixes are limited, but Intel tells us that the in-silicon fixes will expand over time. Whiskey Lake processors will still need a combination of microcode and operating system patches for most variants, but now the Meltdown and L1TF Foreshadow are patched fully in hardware.

The Cascade Lake data center processors marked the introduction of in-silicon patches, but those chips have a different set of protections than the consumer processors. For instance, Cascade Lake has in-silicon protection against Spectre V2, whereas the Whiskey Lake processors do not. Intel representatives indicate that over time those Spectre V2 protections will also come to consumer chips. The limited scope of the in-silicon patches reminds us that Intel, like the many other companies impacted by these vulnerabilities, is still in the early stages of addressing the issues.

L1TF Foreshadow

Regardless, the new in-silicon mitigations may help to address future vulnerabilities, as new variants based on the same techniques used in Spectre and Meltdown continue to pop up on a regular basis. Intel isn't detailing the exact nature of the changes to the microarchitecture, and likely for a good reason. Like the rest of the industry, Intel is playing a cat-and-mouse game with security researchers and malicious actors that range from nation-states to garden-variety hackers, so it wouldn't be wise to share too much information about the fixes.

We expect that Intel's other new processors, like the much-anticipated 9000-series models, will also have in-silicon mitigations, but we're awaiting confirmation.

    Your comment
  • Tanyac
    The new mitigations, which are baked directly into the silicon, should reduce or even eliminate the performance impact.

    Assuming they fix the flaws properly and don't just band aid them, which I suspect is exactly what Intel will do - it's cheaper and faster than a proper fix.

    I'm using X299 and Z370 chipsets and I can say for sure my performance hit in the applications I tested is more than 10%. After paying almost $2000 for a delidded 7900x (AUD), I'm not impressed!
  • Co BIY
    More security always costs something. Performance, convenience, money, time, beauty.

    I'm sure that they are also worried about fixing known issues and inadvertently creating others.

    People die in car crashes (most often caused by malevolent actors breaking laws), the builder installs seat belts (and provides it free to the customer), the customer complains that it now takes longer to get in the car and it put a wrinkle in their dress.

    Have any attacks using the Spectre / Meltdown weaknesses ever occurred in the real world ?
  • DavidC1
    2012116 said:
    Have any attacks using the Spectre / Meltdown weaknesses ever occurred in the real world ?

    They are at this weird phase where its damned if you do, damned if you don't.

    Errata and potential exploit exist. I mean computer code and hardware is incredibly complex. Do the security researchers wait and fix when the exploits cause real life impact, or do they proactively go about finding and fixing them? They often offer bounties so people can purposely look for exploits and bugs. However, if such bugs normally would have never been exploited, are they not doing more damage by doing so?

    There's a saying in programming fixing one bug will create 99 different ones. That may be a bit extreme, and obviously said as a joke. But maybe not so far from reality.