While currently deployed products are being updated through a patchwork of software and microcode updates, the company outlined designed safeguards for future CPUs.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- Intel has already released Meltdown and Spectre patches for the last 5 years worth of x86-64 CPUs.
- The company plans to provide patches for products dating back to the 45nm-process CPUs marketed as "Core 2."
Following the public disclosure of the Meltdown and Spectre vulnerabilities, Intel has faced the daunting task of releasing mitigations for practically every CPU the company has released this decade (sans Itanium, which was not affected). After some early difficulties that required emergency rollbacks, Intel CEO Brian Krzanich announced that the company has issued microcode updates to address Spectre variant 2 for every affected Intel CPU released within the last five years.
This encompasses Sandy Bridge and newer CPUs. Sandy Bridge is generally referred to as the second generation of Intel Core CPUs, identifiable by the first digit following the hyphen in the model number, e.g., i3-2100. Without going further into the minutiae of Intel product numbers, the patches are also available for the Ivy Bridge (3rd), Haswell (4th), Broadwell (5th), Skylake (6th), Kaby Lake (7th), and Coffee Lake (8th) generations of processors, and derivatives of those generations.
Intel is also presently conducting beta tests of microcode updates for Nehalem and Westmere, which comprise the first generation of Intel Core CPUs, the former of which launched in November 2008. Plans also exist to patch the 45nm-process CPUs marketed as "Core 2," which were assigned the codenames Penryn, Wolfdale, Yorkfield, Harpertown, and Dunnington.
SEE: System update policy (Tech Pro Research)
The microcode updates are being supplied to device manufacturers, which must in turn embed the changes in BIOS or firmware updates for computers (or motherboards). As the CPU microcode updates only address one aspect of the Meltdown and Spectre vulnerabilities, applying software updates through Windows Update (or for Linux users, the package manager for your distribution) is necessary to ensure your system is protected. Alternatively, the Microcode data file for Linux can be downloaded here.
Intel also announced architectural changes that are being made to harden the security of future CPUs. Starting with the 8th generation Intel processors, expected to ship in the second half of this year, as well as the Cascade Lake series of scalable Xeon processors, the firm will put in place extra protections that Krzanich described as "additional 'protective walls' between applications and user privilege levels to create an obstacle for bad actors."
Patches for Meltdown and Spectre are known to cause performance degradation, though the actual extent of this has often been overstated. While early reports indicated that Kernel Page Table Isolation (KPTI) causes regressions of up to 30%, the reality of the situation is much different. In Linux test cases, lateral patching of the 4.4 LTS kernel shows significant performance degradation, though these degredations are largely absorbed by performance increases in the newer 4.14 kernel. As an overall view, Linus Torvalds suggested that performance penalties should be around 5%.
While Intel CPUs were the hardest-hit in the Meltdown and Spectre disclosures, other CPUs have also been affected. AMD has already issued microcode patches for the vulnerabilities, and IBM has issued patches for POWER7, POWER7+, POWER8 and POWER9 processors.
- Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)
- Intel: Spectre-proof CPUs will ship in second half of 2018 (ZDNet)
- Spectre and Meltdown: Cheat sheet (TechRepublic)
- First Intel, now AMD also faces multiple class-action suits over Spectre attacks (ZDNet)
- AMD CPU vulnerabilities published by unknown security firm after 24 hours notice (TechRepublic)