Since the public revelation of the Meltdown and Spectre CPU vulnerabilities early this year, Intel has spent virtually the entire time in a reactionary mode, starting from the moment the vulnerabilities were revealed ahead of schedule. Since then the company has been making progress, albeit not without some significant steps backwards such as faulty microcode updates. However in recent weeks the company finally seems to be turning a corner on their most pressing issues, and this morning is releasing a more forward-looking update to their security issues.

Jumping straight to what AnandTech readers will consider the biggest news, Intel is finally talking a bit about future hardware. Intel is announcing that they have developed hardware fixes for both the Meltdown and Spectre v2 vulnerabilities, which in turn will be implemented into future processors. Both the next version of Intel’s Xeon server/HEDT platform – Cascade Lake – as well as new 8th gen Core processors set to ship in the second half of this year will include the mitigations.

For those not up to date with their Intel codenames, Cascade Lake is the 14nm refresh of Intel’s current Skylake-E/X family. Little official information is available about Cascade Lake, but importantly for datacenter vendors, this lays out a clear timetable for when they can expect to have access to Meltdown and Spectre-hardened silicon for use in new virtual machine servers. Given that virtual machine hosts were among those at the greatest risk here – and more impacted by the performance regressions of the software Meltdown mitigations – this is understandably most crucial market for Intel to address.

Meanwhile for updating Intel’s consumer chips, this is a bit more nebulous. While Intel hasn’t shared the complete text of their announcement with us ahead of press time, their specific wording is that the changes will be included in 8th gen Core processors “expected to ship in the second half of 2018.” Intel hasn’t said what processor family these are (e.g. Cannon Lake?), or for that matter whether these are even going to be traditional consumer chips or just the Core HEDT releases of Cascade Lake. So there is a lot of uncertainty here over just what this will entail. In the interim we have reached out to Intel about how consumers will be able to identify post-mitigation chips, and while we’re still waiting on a more complete response, Intel has told us that they want to be transparent about the matter.

As for the hardware changes themselves, it’s important to note that Intel’s changes only mitigate Meltdown (what Intel calls “variant 3”) and Spectre variant 2. In both cases the company has mitigated the vulnerabilities through a new partitioning system that improves both process and privilege-level separation, going with a “protective walls” analogy.

Intel's Meltdown & Spectre Hardware Mitigations Plans (2018)
Exploit Mitigation
Meltdown Hardware
Spectre variant 1 (bounds check bypass) Software
Spectre variant 2 (branch target injection) Hardware

Unfortunately these hardware changes won’t mitigate Spectre variant 1. And admittedly, I haven’t been expecting Intel (or anyone else) to figure that one out in 2018. The best mitigations for Spectre v1 will remain developer-focused software techniques that avoid putting sensitive data at risk.

The catch is that the more worrying risk with Spectre has always been the v1 variant, as the attack works against rather fundamental principles of speculative out-of-order execution. Which has been why the initial research on the vulnerability class noted that researchers weren’t sure they completely understood the full depth of the issue at the time. And indeed, it seems like the industry as a whole is still trying to fully understand the matter. The one silver lining here is that Spectre v1 can only be used against same-level processes and not admin-level processes. Which is to say that it can still be used for plenty of naughtiness with user data in other user-level applications, but can’t reach into more secure processes.

Moving on, for Intel’s current processors the company has updated their guidance for releasing the mitigation microcode updates. As of last week, the company has released production microcode updates for all of their products released in the last 5 years. In fact on the Core architecture side it goes even farther than that; Intel has now released microcode updates for all 2nd gen Core (Sandy Bridge) and newer processors, including their Xeon and HEDT variants. There are some outstanding questions here on how these updates will be delivered, as it seems unlikely that manufacturers will release BIOS updates for motherboards going back quite that far, but judging from how Intel and Microsoft have cooperated thus far, I’d expect to see these microcode updates also released to Windows Update in some fashion.

Finally, Intel will also be going even further back with their microcode updates. Their latest schedule calls for processors as old as the Core 2 lineup to get updates, including the 1st gen Core processors (Nehalem/Gulftown/Westmere/Lynnfield/Clarksfield/Bloomfield/Arrandale/Clarkdale), and the 45nm Core 2 processors (Penryn/Yorkfield/Wolfdale/Hapertown). This would cover most Intel processors going back to late 2007 or so. It’s worth noting that the 65nm Core 2 processors (Conroe, etc) are not on this list, but then the later Core 2 processors weren’t on the list either at one point.

Intel's Core Architecture Meltdown & Spectre v2 Mitigations
Microarchitecture Core Generation Status
Penryn 45nm Core 2 Microcode Planning
Nehalem/Westmere 1st Planning/Pre-Beta
Sandy Bridge 2nd Microcode Released
Ivy Bridge 3rd Microcode Released
Haswell 4th Microcode Released
Broadwell 5th Microcode Released
Skylake 6th Microcode Released
Kaby Lake 7th Microcode Released
Coffee Lake 8th Microcode Released
H2'2018 Core (Cannon Lake?) 8th Hardware Immune
Cascade Lake X Hardware Immune

Update: Intel has also released a video to go with their announcement, in case you like your information in a visual form.

Source: Intel

POST A COMMENT

31 Comments

View All Comments

  • bill44 - Thursday, March 15, 2018 - link

    I take it the upcoming Intel Core i7-8809G will NOT have hardware mitigation :( Reply
  • edzieba - Thursday, March 15, 2018 - link

    It contains a Kaby Lake die, so no. Reply
  • HStewart - Thursday, March 15, 2018 - link

    8809G should have Microcode fixes - I am curious what is difference between Microcode changes - which is update for pretty much all of Intel CPU and Hardware Migration.

    My only guess is likely in performance - that newer cpus will be faster than older generations.

    One big concern about all the Meltdown/Spectre stuff - is where is actual virus / hacks - I heard all complaints - but where is real issues - and what does it take to effect application.. who some one have to run an executable on clients machine. And lets say you have code to get some ones password by using the techniques - how does it get back to someone else - now if this can be proven to cause problem in firewall - then it could be big issue,.
    Reply
  • Silma - Thursday, March 15, 2018 - link

    Your article is not clear.
    If Intel implements M&S v2 mitigations in hardware, then it should appear in the table as 'hardware-based', not 'hardware immune'.
    Hardware immune would mean no mitigation but 100 % security against the threats.
    Reply
  • HStewart - Thursday, March 15, 2018 - link

    I think the best thing to do is implemented IO protection - so if some one attempts to cross boundaries in address space - that they would get exception - who cares if application attempting to invalid things slows down because of exception or crashes. I would expect this to be handle if application is user level - to real problem is this is OS level or possible some driver level.

    On 'hardware immune' no vendor ( Intel, AMD or ARM ) can ever claimed that they are 100% immune to attacks - possibly they can say that known attacks - but as can we see with Meltdown/Spectre, people can go to quite creative and technical extremes to prove a point.

    But my big question is has there been any real case of malware / virus based on Meltdown/Spectre. So far I heard nothing except for Proof of concepts
    Reply
  • Ryan Smith - Thursday, March 15, 2018 - link

    A reasonable point.

    The primary purpose of the table was to note that those processors wouldn't require software fixes for those two exploits.
    Reply
  • vailr - Thursday, March 15, 2018 - link

    A UEFI bios update program may be useful, for someone wanting to install updated CPU microcode on motherboards for which "official" UEFI bios firmware updates are not yet available:
    http://www.majorgeeks.com/files/details/uefi_bios_...
    The program is authored and maintained on a Russian web site, but has been translated to English.
    Reply
  • ಬುಲ್ವಿಂಕಲ್ ಜೆ ಮೂಸ್ - Thursday, March 15, 2018 - link

    Ooh, Russian Firmware sounds totally Legit!

    or I could go the Bullwinkle Route and lock down Windows 10 as a Read-Only Operating system, Block ALL untrusted software from Internet connectivity and made every application portable using ThinApp or similar product and NEVER run scripts of any type

    If it worked for Windows XP, then it will work for Windows 7 / 8 & 10 without going to the very limited and locked down Windows 10-S mode!

    That way you could do all the speculative executions you wanted without any performance penalty

    There are programs available that can turn Windows 10 into a Read Only System while allowing disk writes and changes where you actually need them without ever getting persistent malware "IF you know what you are doing"

    Big "IF"
    Reply
  • Zingam - Saturday, March 17, 2018 - link

    Or you can use the other 99% of the firmware which is Chinese. Reply
  • ಬುಲ್ವಿಂಕಲ್ ಜೆ ಮೂಸ್ - Saturday, March 17, 2018 - link

    Zing! Reply

Log in

Don't have an account? Sign up now