SoylentNews is people
SoylentNews
It seems Intel has had some second thoughts about Spectre 2 microcode fixes:
Intel has issued new a new "microcode revision guidance" that confesses it won't address the Meltdown and Spectre design flaws in all of its vulnerable processors – in some cases because it's too tricky to remove the Spectre v2 class of vulnerabilities.
The new guidance (pdf), issued April 2, adds a "stopped" status to Intel's "production status" category in its array of available Meltdown and Spectre security updates. "Stopped" indicates there will be no microcode patch to kill off Meltdown and Spectre.
The guidance explains that a chipset earns "stopped" status because, "after a comprehensive investigation of the microarchitectures and microcode capabilities for these products, Intel has determined to not release microcode updates for these products for one or more reasons."
Those reasons are given as:
- Micro-architectural characteristics that preclude a practical implementation of features mitigating [Spectre] Variant 2 (CVE-2017-5715)
- Limited Commercially Available System Software support
- Based on customer inputs, most of these products are implemented as "closed systems" and therefore are expected to have a lower likelihood of exposure to these vulnerabilities.
Thus, if a chip family falls under one of those categories – such as Intel can't easily fix Spectre v2 in the design, or customers don't think the hardware will be exploited – it gets a "stopped" sticker. To leverage the vulnerabilities, malware needs to be running on a system, so if the computer is totally closed off from the outside world, administrators may feel it's not worth the hassle applying messy microcode, operating system, or application updates.
"Stopped" CPUs that won't therefore get a fix are in the Bloomfield, Bloomfield Xeon, Clarksfield, Gulftown, Harpertown Xeon C0 and E0, Jasper Forest, Penryn/QC, SoFIA 3GR, Wolfdale, Wolfdale Xeon, Yorkfield, and Yorkfield Xeon families. The list includes various Xeons, Core CPUs, Pentiums, Celerons, and Atoms – just about everything Intel makes.
Most [of] the CPUs listed above are oldies that went on sale between 2007 and 2011, so it is likely few remain in normal use.
(Score: 3, Interesting) by looorg on Wednesday April 04 2018, @10:52AM (6 children)
So are these flaws present in their current and new CPU:s or have they managed to eradicate them from those or is it some inherent flaw in the structure that they just can't get rid of without a complete redesign?
(Score: 0) by Anonymous Coward on Wednesday April 04 2018, @11:51AM (1 child)
Time to migrate to in-order ARM chips and call it a day. Intel screwed the pooch big time on this one and it is time to make the plunge and lose a bit of performance for guaranteed security. It is what I am doing.
Sadly PPC G5 chips have the same issue, and while the odds of attacks against them are low, it means that Old Mac G5 systems are just as risky to use online or with a web browser (since even if the javascript engine has mitigations, as soon as they trip an exploit to executable code they can use spectre either way.)
If you want an easy way to mitigate these issues, all you really need to do is change the ondemand scheduler in linux to under full load vary the cpu clock between steppings, which will throw off timing for the spectre attacks. You will get a stuttery experience if you are running something that truly demands the higher clock rate to perform smoothly, but for everything else it will just act as a spectre mitigation.
(Score: 2) by requerdanos on Wednesday April 04 2018, @10:14PM
The intel_pstate driver [stackexchange.com] only offers two governors: performance and powersave. Neither does what you might expect, as frequencies vary by load with both of them.
Disabling intel_pstate and using ACPI brings back the ondemand governor, but with reduced performance. From the link above:
I can confirm that the intel_pstate powersave governor, somewhat counter-intuitively, keeps my Xeon E5v2 chip running about 2.8GHz, its rated max speed. (The performance governor seems to run it at about 3.1 - 3.2 GHz.)
Point being, I guess, that even if that's a good mitigation technique, it comes with its own toils and troubles.
(And I would rather have a new governor, say "psycho" or something, modeled on the ondemand governor but with the unpredictability, rather than messing with ondemand itself, anyway.)
(Score: 4, Informative) by bzipitidoo on Wednesday April 04 2018, @01:21PM (2 children)
It's an inherent flaw with the dirty way speculative execution was implemented, which goes all the way back to the Pentium Pro in the mid '90s, and also affects AMD, ARM-- any company that employed speculative execution in their architecture and couldn't resist skipping a few checks to save time, which I think was just about all of them. If you want an Intel chip that is unaffected by Spectre, have to go all the way back to the Pentium. One thing the first Pentiums became infamous for was that division bug, but it shouldn't be too hard to avoid those. Sometimes, manufacturers buy older architectures, and chip makers helpfully produce them on the smaller processes available today. For instance, in recent times you could get a 100 MHz 486. I have no idea whether there are any new Pentiums available in, say, a 32nm process, and which can run at 1GHz, but there could be such a thing.
I can tell you that a 133 MHz Pentium MMX system with 96M of RAM (the max that system can support) is excruciatingly, painfully slow with modern software. The last time I fooled with that platform, I tried to run Firefox 3.5 on it. It worked, but it took 30 seconds just to start up with a blank page. On that machine, Stellarium took 5 minutes to start, and was so slow it was unusable. 96M just isn't enough RAM any more, need at least 512M.
Intel isn't planning to fix this problem immediately. May have to wait for the Tigerlake arch, perhaps in 2020. AMD chips are subject to less of the vulnerabilities, but aren't immune to all of them. Don't know what AMD is doing about it, whether they will have it all fixed before Intel, but it seems likely they will. There just isn't a good option right now. Wait a year or two, or use an ancient Pentium system, or live with it.
(Score: 0) by Anonymous Coward on Thursday April 05 2018, @08:42AM (1 child)
Sounds like a good time to not buy new computers.
(Score: 2) by bzipitidoo on Thursday April 05 2018, @12:37PM
Tell me about it. I had been waiting to upgrade my 2 old circa 2007 desktop systems. Decided to stop waiting last summer. Also, the power supply on one of them was failing and making the system unreliable, prone to spontaneous reboots and freezes. I wanted the Ryzen, but it would have been another half a year wait at least, so I went ahead and got a Skylake and then a Kaby Lake. The shine still hadn't worn off when the news about Meltdown and Spectre hit.
So then I checked that the old desktop's problem really was a bad power supply, bought and installed a new one, and it's working fine again.
(Score: 1, Informative) by Anonymous Coward on Wednesday April 04 2018, @06:40PM
Spectre is common to all processors that do speculative execution. Meltdown was Intel-specific, as Intel was the only one that performed speculation across different privilege levels (so user space could peek at kernel data).