Tag Archives: CPU Bug

The Intel Spectre Reboot Issue – Everything You Need To Know! Rev. 3.0

The efforts to mitigate the threat of the Meltdown and Spectre exploits is officially WORSE than the threat itself. Many Intel systems are randomly and spontaneously rebooting after installing Intel Spectre 2 patches. No shit. Here is our continuing coverage of the Intel Spectre Reboot Issue!

 

Article Update History

Click here for the Article Update History

Updated @ 2018-03-06 : Added the latest updates on the issue, as well as the new Intel Spectre 2 microcode revision guidance slides.

Updated @ 2018-02-22 : Added the latest updates on the issue, as well as the new Intel Spectre 2 microcode revision guidance slides.

Updated @ 2018-02-14 : Added the latest updates on the issue, as well as the new Intel Spectre 2 microcode revision guidance slides.

Updated @ 2018-02-10 : Added a new section on the Intel Spectre 2 Microcode Update Schedule, and updated various parts of the article. Removed 80 Intel processors that have just been confirmed not to be affected by the buggy microcode updates.

Updated @ 2018-01-26 : Added the Intel Coffee Lake, Intel Xeon Scalable and Intel Xeon W family of processors to the list of affected CPUs. Added the updated Intel Spectre 2 Microcode Update Guidance.

Updated @ 2018-01-23 : Added a new section on the root cause of the spontaneous reboot issue, and updated guidance on what you should do about this problem. Also added the Intel microcode revision lists. Removed 129 workstation / server CPUs, 105 desktop CPUs and 143 mobile CPUs.

Updated @ 2018-01-18 : Added the latest development on the Intel spontaneous reboot issues, including a greatly-expanded list of affected Intel CPUs.

Updated @ 2018-01-16 : Added the full list of Intel CPUs with reboot issues

Originally posted @ 2018-01-13

 

Spontaneous Reboots With Spectre 2 Patches Updated!

On 11 January 2018, the WSJ reported that Intel was quietly asking their cloud computing customers to hold off installing Meltdown and Spectre patches because “the patches have bugs of their own“. Specifically, there were three bugs in the microcode patches they released.

In a blog post posted on the same day, Intel Executive Vice President and General Manager of the Intel Data Center Group, Navin Shenoy confirmed that Intel received reports of “higher system reboots” after applying those updates.

Basically, these systems would randomly and spontaneously reboot after installing those patches. Not something you want your computer to do, never mind servers that cater to tens or hundreds of thousands of users.

He initially confirmed that the affected systems were running Intel Broadwell and Intel Haswell CPUs, and that the issues affected both client (desktop, mobile, workstation) PCs, as well as data center servers.

But in an update a week later, Navin revealed that the newer Kaby Lake and Skylake CPUs, as well as older Sandy Bridge and Ivy Bridge processors, were also experiencing spontaneous reboot issues after updating their firmware.

Although not explicitly mentioned, the latest Intel Coffee Lake CPUs are also affected by spontaneous reboots. Hidden in their microcode revision guidance was a reference to the Coffee Lake-S processors.

In their 24 January 2018 microcode revision guidance, they further added the Intel Xeon Scalable and Intel Xeon W processor families to the list of affected CPUs.

But there’s good news – on 8 February 2018, Intel confirmed that 80 CPU models previously marked as affected have been certified to be free from the buggy microcode updates.

On 12 February 2018, Intel released beta microcode updates for some of their Coffee LakeBroadwell and Haswell processors, and pre-beta updates for their Arrandale, Clarkdale and Gulftown processors.

On 20 February 2018, Intel released production microcode updates for their Coffee Lake, Kaby Lake and Skylake processors, with new beta microcode updates for their Haswell, Ivy Bridge and Sandy Bridge processors.

On 26 February 2018, Intel released production microcode updates for the remaining Broadwell and Haswell processors, except for their Broadwell EX and Haswell EX (server) processors.

On 1 March 2018, Intel released new beta microcode updates for their Arrandale, ClarkdaleGulftown, Nehalem EP, Nehalem WS, Westmere EP, Westmere WS and Ivy Bridge EX (server) processors. They also started releasing pre-beta updates for their Lynnfield and Westmere EX processors. With the release of the Skylake Xeon E3 production update, the entire Intel Skylake family is fully patched.

Intel is not the first to be beset by problems in the rush to patch Meltdown and Spectre. Microsoft recently admitted that some Windows 10 updates were bricking some AMD PCs.

 

The Root Cause – Intel Spectre 2 Patches

On 22 January 2018, Navin Shenoy announced that Intel :

  • has identified the root cause for Broadwell and Haswell platforms, and
  • is making good progress in developing a solution to address that root cause.

They revealed that the spontaneous reboot issues seen with the affected Intel CPUs were caused by Spectre 2 mitigations in those microcode updates.

Notably, Intel only confirmed that Spectre 2 mitigations were the root cause in those two platforms. They have not confirmed Spectre 2 mitigations as the cause in the Coffee LakeKaby Lake, Skylake, Ivy Bridge and Sandy Bridge platforms that are also affected.

In fact, Intel shared that “The progress we have made in identifying a root cause for Haswell and Broadwell will help us address issues on other platforms. Please be assured we are working quickly to address these issues.

 

What CPUs Are Affected By The Buggy Intel Spectre 2 Patches?

All of the systems suffering from spontaneous reboot issues were running on HaswellBroadwellSkylake, Kaby Lake and the latest Coffee Lake CPUs. Workstation and server CPUs based on Ivy Bridge and Sandy Bridge were also affected, but thankfully not their desktop brethren.

On 8 February 2018, Intel revealed that some of the microcode updates that they suspected were buggy, were actually not buggy. They include :

  • The Intel Skylake H/S/U/Y Desktop Processors
  • The Intel Xeon E3-1200 v5 Processor Family (Skylake)

We prepared the full list of CPUs affected by the buggy Intel Spectre 2 patches, but it is a VERY LONG LIST with 801 CPUs, so we split them into three sections.

As you can see, many more server and workstation CPUs are affected than desktop and mobile CPUs combined. That’s because Intel prioritised the patching of their server and workstation CPUs, over desktop and mobile CPUs.

 

What Is Being Done About The Buggy Intel Spectre 2 Patches?

When he first posted on the spontaneous reboot issue, Navin said that Intel was working to “understand, diagnose and address this reboot issue“.

In his latest update, he shared that Intel had already issued an early version of the new microcode updates to their partners for tests, and will release them “once that testing has been completed“.

These new microcode updates basically have Spectre 2 mitigations removed. This will restore stability to the affected Intel CPUs, while Intel fixes the problems in those mitigations.

 

The Intel Spectre Microcode Update Schedule Updated!

On 7 February 2018, Navin Shenoy announced that Intel has released “production microcode updates for several Skylake-based platforms” to their OEM customers and industry partners, with more platform updates “in coming days“.

The schedule was updated on 12, 20, 26 February and 1 March with more details, including production (final), pre-beta and beta versions of the new Intel Spectre microcode updates.

 

What Should YOU Do?

While Intel initially advised end-users to “apply updates” from system and operating system providers, they have now changed their guidance, as of 22 January 2018 :

  • We recommend that OEMs, Cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions on the below platforms, as they may introduce higher than expected reboots and other unpredictable system behavior.
  • We also ask that our industry partners focus efforts on testing early versions of the updated solution for Broadwell and Haswell we started rolling out this weekend, so we can accelerate its release. We expect to share more details on timing later this week.
  • For those concerned about system stability while we finalize the updated solutions, we are also working with our OEM partners on the option to utilize a previous version of microcode that does not display these issues, but removes the Variant 2 (Spectre) mitigations. This would be delivered via a BIOS update, and would not impact mitigations for Variant 1 (Spectre) and Variant 3 (Meltdown).

Please note that there has been no actual recorded threat or attack using the Meltdown or Spectre exploits. The damage, or risk of damage, every time your system or server spontaneously reboot is FAR WORSE than the (currently) non-existent threat of a Meltdown or Spectre exploit.

Therefore, we recommend that you DO NOT apply any microcode update for your Intel system, if you are using any Intel processor manufactured since 2011.

If you have already applied the latest Intel Spectre microcode update, and are affected by spontaneous reboots; you should upgrade to the new firmware (if they are available), or revert to the older firmware.

 

Meltdown + Spectre Reading Suggestions

[adrotate group=”2″]

Next Page > Server / Workstation CPUs With Buggy Intel Spectre Patches

 

Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!

Server / Workstation CPUs With Buggy Intel Spectre Patches

Intel Skylake-W (2017)

  • Intel Xeon W-2195
  • Intel Xeon W-2175
  • Intel Xeon W-2155
  • Intel Xeon W-2150B
  • Intel Xeon W-2145
  • Intel Xeon W-2140B
  • Intel Xeon W-2135
  • Intel Xeon W-2133
  • Intel Xeon W-2125
  • Intel Xeon W-2123
  • Intel Xeon W-2104
  • Intel Xeon W-2102

Intel Skylake-SP (2017)

  • Intel Xeon Platinum 8180
  • Intel Xeon Platinum 8180M
  • Intel Xeon Platinum 8176
  • Intel Xeon Platinum 8176F
  • Intel Xeon Platinum 8176M
  • Intel Xeon Platinum 8173M
  • Intel Xeon Platinum 8170
  • Intel Xeon Platinum 8170M
  • Intel Xeon Platinum 8168
  • Intel Xeon Platinum 8167M
  • Intel Xeon Platinum 8164
  • Intel Xeon Platinum 8163
  • Intel Xeon Platinum 8160
  • Intel Xeon Platinum 8160F
  • Intel Xeon Platinum 8160M
  • Intel Xeon Platinum 8160T
  • Intel Xeon Platinum 8158
  • Intel Xeon Platinum 8156
  • Intel Xeon Platinum 8153
  • Intel Xeon Gold 6161
  • Intel Xeon Gold 6154
  • Intel Xeon Gold 6152
  • Intel Xeon Gold 6150
  • Intel Xeon Gold 6149
  • Intel Xeon Gold 6148
  • Intel Xeon Gold 6148F
  • Intel Xeon Gold 6146
  • Intel Xeon Gold 6145
  • Intel Xeon Gold 6144
  • Intel Xeon Gold 6142
  • Intel Xeon Gold 6142F
  • Intel Xeon Gold 6142M
  • Intel Xeon Gold 6140
  • Intel Xeon Gold 6140M
  • Intel Xeon Gold 6138
  • Intel Xeon Gold 6138F
  • Intel Xeon Gold 6138T
  • Intel Xeon Gold 6136
  • Intel Xeon Gold 6134
  • Intel Xeon Gold 6134M
  • Intel Xeon Gold 6132
  • Intel Xeon Gold 6130
  • Intel Xeon Gold 6130F
  • Intel Xeon Gold 6130T
  • Intel Xeon Gold 6128
  • Intel Xeon Gold 6126
  • Intel Xeon Gold 6126F
  • Intel Xeon Gold 6126T
  • Intel Xeon Gold 6122
  • Intel Xeon Gold 6120
  • Intel Xeon Gold 6120T
  • Intel Xeon Gold 6119T
  • Intel Xeon Gold 6118
  • Intel Xeon Gold 6117
  • Intel Xeon Gold 6117F
  • Intel Xeon Gold 6115
  • Intel Xeon Silver 4116
  • Intel Xeon Silver 4116T
  • Intel Xeon Silver 4114
  • Intel Xeon Silver 4114T
  • Intel Xeon Silver 4112
  • Intel Xeon Silver 4110
  • Intel Xeon Silver 4109T
  • Intel Xeon Silver 4108
  • Intel Xeon Bronze 3106
  • Intel Xeon Bronze 3104

Intel Kaby Lake-DT (2017)

  • Intel Xeon E3-1285 v6
  • Intel Xeon E3-1280 v6
  • Intel Xeon E3-1275 v6
  • Intel Xeon E3-1270 v6
  • Intel Xeon E3-1245 v6
  • Intel Xeon E3-1240 v6
  • Intel Xeon E3-1230 v6
  • Intel Xeon E3-1225 v6
  • Intel Xeon E3-1220 v6

Intel Kaby Lake-H (2017)

  • Intel Xeon E3-1535M
  • Intel Xeon E3-1505M
  • Intel Xeon E3-1505L
  • Intel Xeon E3-1501L
  • Intel Xeon E3-1501M

Intel Skylake-H (2016)

  • Intel Xeon E3-1585 v5
  • Intel Xeon E3-1585L v5
  • Intel Xeon E3-1578L v5
  • Intel Xeon E3-1575M v5
  • Intel Xeon E3-1565L v5
  • Intel Xeon E3-1558L v5
  • Intel Xeon E3-1545M v5
  • Intel Xeon E3-1535M v5
  • Intel Xeon E3-1515M v5
  • Intel Xeon E3-1505M v5
  • Intel Xeon E3-1505L v5

Intel Broadwell-EX (2016)

  • Intel E7-8894 v4
  • Intel E7-8893 v4
  • Intel E7-8891 v4
  • Intel E7-8890 v4
  • Intel E7-8880 v4
  • Intel E7-8870 v4
  • Intel E7-8867 v4
  • Intel E7-8860 v4
  • Intel E7-8855 v4
  • Intel E7-4850 v4
  • Intel E7-4830 v4
  • Intel E7-4820 v4
  • Intel E7-4809 v4

Intel Broadwell-EP (2016)

  • Intel Xeon E5-4669 v4
  • Intel Xeon E5-4667 v4
  • Intel Xeon E5-4660 v4
  • Intel Xeon E5-4650 v4
  • Intel Xeon E5-4640 v4
  • Intel Xeon E5-4628L v4
  • Intel Xeon E5-4627 v4
  • Intel Xeon E5-4620 v4
  • Intel Xeon E5-4610 v4
  • Intel Xeon E5-2699 v4
  • Intel Xeon E5-2699A v4
  • Intel Xeon E5-2699C v4
  • Intel Xeon E5-2699P v4
  • Intel Xeon E5-2699R v4
  • Intel Xeon E5-2698 v4
  • Intel Xeon E5-2697 v4
  • Intel Xeon E5-2697A v4
  • Intel Xeon E5-2696 v4
  • Intel Xeon E5-2695 v4
  • Intel Xeon E5-2690 v4
  • Intel Xeon E5-2689 v4
  • Intel Xeon E5-2689A v4
  • Intel Xeon E5-2687W v4
  • Intel Xeon E5-2686 v4
  • Intel Xeon E5-2683 v4
  • Intel Xeon E5-2682 v4
  • Intel Xeon E5-2680 v4
  • Intel Xeon E5-2679 v4
  • Intel Xeon E5-2676 v4
  • Intel Xeon E5-2676 v4
  • Intel Xeon AWS-1100 v4
  • Intel Xeon E5-2667 v4
  • Intel Xeon E5-2666 v4
  • Intel Xeon E5-2660 v4
  • Intel Xeon E5-2658 v4
  • Intel Xeon E5-2650 v4
  • Intel Xeon E5-2650L v4
  • Intel Xeon E5-2648L v4
  • Intel Xeon E5-2643 v4
  • Intel Xeon E5-2640 v4
  • Intel Xeon E5-2637 v4
  • Intel Xeon E5-2630 v4
  • Intel Xeon E5-2630L v4
  • Intel Xeon E5-2628L v4
  • Intel Xeon E5-2623 v4
  • Intel Xeon E5-2620 v4
  • Intel Xeon E5-2618L v4
  • Intel Xeon E5-2609 v4
  • Intel Xeon E5-2608L v4
  • Intel Xeon E5-2607 v4
  • Intel Xeon E5-2603 v4
  • Intel Xeon E5-1680 v4
  • Intel Xeon E5-1660 v4
  • Intel Xeon E5-1650 v4
  • Intel Xeon E5-1630 v4
  • Intel Xeon E5-1620 v4
  • Intel Xeon E5-1607 v4
  • Intel Xeon E5-1603 v4

Intel Skylake-DT (2015)

  • Intel Xeon E5-1280 v5
  • Intel Xeon E5-1275 v5
  • Intel Xeon E5-1270 v5
  • Intel Xeon E5-1268L v5
  • Intel Xeon E5-1260L v5
  • Intel Xeon E5-1245 v5
  • Intel Xeon E5-1240 v5
  • Intel Xeon E5-1240L v5
  • Intel Xeon E5-1235L v5
  • Intel Xeon E5-1230 v5
  • Intel Xeon E5-1225 v5
  • Intel Xeon E5-1220 v5

Intel Broadwell-H (2015)

  • Intel Xeon E3-1285 v4
  • Intel Xeon E3-1285L v4
  • Intel Xeon E3-1284L v4
  • Intel Xeon E3-1278L v4
  • Intel Xeon E3-1270L v4
  • Intel Xeon E3-1265L v4
  • Intel Xeon E3-1258L v4

Intel Haswell-EX (2015)

  • Intel Xeon E7-8895 v3
  • Intel Xeon E7-8893 v3
  • Intel Xeon E7-8891 v3
  • Intel Xeon E7-8890 v3
  • Intel Xeon E7-8880 v3
  • Intel Xeon E7-8880L v3
  • Intel Xeon E7-8870 v3
  • Intel Xeon E7-8867 v3
  • Intel Xeon E7-8860 v3
  • Intel Xeon E7-4850 v3
  • Intel Xeon E7-4830 v3
  • Intel Xeon E7-4820 v3
  • Intel Xeon E7-4809 v3
[adrotate group=”1″]

Intel Haswell-EN (2015)

  • Intel Xeon E5-2438L v3
  • Intel Xeon E5-2428L v3
  • Intel Xeon E5-2418L v3
  • Intel Xeon E5-2408L v3
  • Intel Xeon E5-1428L v3

Intel Haswell-EP (2014)

  • Intel Xeon E5-4669 v3
  • Intel Xeon E5-4667 v3
  • Intel Xeon E5-4660 v3
  • Intel Xeon E5-4655 v3
  • Intel Xeon E5-4650 v3
  • Intel Xeon E5-4648 v3
  • Intel Xeon E5-4640 v3
  • Intel Xeon E5-4627 v3
  • Intel Xeon E5-4620 v3
  • Intel Xeon E5-4610 v3
  • Intel Xeon E5-2699 v3
  • Intel Xeon E5-2698 v3
  • Intel Xeon E5-2698A v3
  • Intel Xeon E5-2698B v3
  • Intel Xeon E5-2697 v3
  • Intel Xeon E5-2696 v3
  • Intel Xeon E5-2695 v3
  • Intel Xeon E5-2693 v3
  • Intel Xeon E5-2692 v3
  • Intel Xeon E5-2695 v3
  • Intel Xeon E5-2690 v3
  • Intel Xeon E5-2687W v3
  • Intel Xeon E5-2685 v3
  • Intel Xeon E5-2683 v3
  • Intel Xeon E5-2680 v3
  • Intel Xeon E5-2678 v3
  • Intel Xeon E5-2676 v3
  • Intel Xeon E5-2675 v3
  • Intel Xeon E5-2673 v3
  • Intel Xeon E5-2670 v3
  • Intel Xeon E5-2669 v3
  • Intel Xeon E5-2667 v3
  • Intel Xeon E5-2666 v3
  • Intel Xeon E5-2663 v3
  • Intel Xeon E5-2660 v3
  • Intel Xeon E5-2658 v3
  • Intel Xeon E5-2658A v3
  • Intel Xeon E5-2652 v3
  • Intel Xeon E5-2650 v3
  • Intel Xeon E5-2650L v3
  • Intel Xeon E5-2649 v3
  • Intel Xeon E5-2643 v3
  • Intel Xeon E5-2640 v3
  • Intel Xeon E5-2648L v3
  • Intel Xeon E5-2637 v3
  • Intel Xeon E5-2630 v3
  • Intel Xeon E5-2630L v3
  • Intel Xeon E5-2629 v3
  • Intel Xeon E5-2628 v3
  • Intel Xeon E5-2628L v3
  • Intel Xeon E5-2623 v3
  • Intel Xeon E5-2622 v3
  • Intel Xeon E5-2620 v3
  • Intel Xeon E5-2618L v3
  • Intel Xeon E5-2609 v3
  • Intel Xeon E5-2608L v3
  • Intel Xeon E5-2603 v3
  • Intel Xeon E5-1691 v3
  • Intel Xeon E5-1686 v3
  • Intel Xeon E5-1681 v3
  • Intel Xeon E5-1680 v3
  • Intel Xeon E5-1660 v3
  • Intel Xeon E5-1650 v3
  • Intel Xeon E5-1630 v3
  • Intel Xeon E5-1620 v3
  • Intel Xeon E5-1607 v3
  • Intel Xeon E5-1603 v3

Intel Ivy Bridge-EN (2014)

  • Intel Xeon E5-2470 v2
  • Intel Xeon E5-2450 v2
  • Intel Xeon E5-2450L v2
  • Intel Xeon E5-2448L v2
  • Intel Xeon E5-2440 v2
  • Intel Xeon E5-2430 v2
  • Intel Xeon E5-2430L v2
  • Intel Xeon E5-2428L v2
  • Intel Xeon E5-2420 v2
  • Intel Xeon E5-2418L v2
  • Intel Xeon E5-2407 v2
  • Intel Xeon E5-2403 v2
  • Intel Xeon E5-1428L v2
  • Intel Xeon E5-1410 v2

Intel Haswell-WS (2013)

  • Intel Xeon E3-1286 v3
  • Intel Xeon E3-1286L v3
  • Intel Xeon E3-1285 v3
  • Intel Xeon E3-1285L v3
  • Intel Xeon E3-1284L v3
  • Intel Xeon E3-1281 v3
  • Intel Xeon E3-1280 v3
  • Intel Xeon E3-1276 v3
  • Intel Xeon E3-1275 v3
  • Intel Xeon E3-1275L v3
  • Intel Xeon E3-1271 v3
  • Intel Xeon E3-1270 v3
  • Intel Xeon E3-1268L v3
  • Intel Xeon E3-1265L v3
  • Intel Xeon E3-1246 v3
  • Intel Xeon E3-1245 v3
  • Intel Xeon E3-1241 v3
  • Intel Xeon E3-1240 v3
  • Intel Xeon E3-1240L v3
  • Intel Xeon E3-1230L v3
  • Intel Xeon E3-1231 v3
  • Intel Xeon E3-1230 v3
  • Intel Xeon E3-1226 v3
  • Intel Xeon E3-1225 v3
  • Intel Xeon E3-1220 v3
  • Intel Xeon E3-1220L v3

Intel Ivy Bridge-EP (2013)

  • Intel Xeon E5-4657L v2
  • Intel Xeon E5-4650 v2
  • Intel Xeon E5-4640 v2
  • Intel Xeon E5-4627 v2
  • Intel Xeon E5-4624L v2
  • Intel Xeon E5-4620 v2
  • Intel Xeon E5-4610 v2
  • Intel Xeon E5-4607 v2
  • Intel Xeon E5-4603 v2
  • Intel Xeon E5-2697 v2
  • Intel Xeon E5-2696 v2
  • Intel Xeon E5-2695 v2
  • Intel Xeon E5-2692 v2
  • Intel Xeon E5-2690 v2
  • Intel Xeon E5-2687W v2
  • Intel Xeon E5-2680 v2
  • Intel Xeon E5-2673 v2
  • Intel Xeon E5-2670 v2
  • Intel Xeon E5-2667 v2
  • Intel Xeon E5-2660 v2
  • Intel Xeon E5-2658 v2
  • Intel Xeon E5-2651 v2
  • Intel Xeon E5-2650 v2
  • Intel Xeon E5-2650L v2
  • Intel Xeon E5-2648L v2
  • Intel Xeon E5-2643 v2
  • Intel Xeon E5-2640 v2
  • Intel Xeon E5-2637 v2
  • Intel Xeon E5-2630 v2
  • Intel Xeon E5-2630L v2
  • Intel Xeon E5-2628L v2
  • Intel Xeon E5-2620 v2
  • Intel Xeon E5-2618L v2
  • Intel Xeon E5-2609 v2
  • Intel Xeon E5-2603 v2
  • Intel Xeon E5-1680 v2
  • Intel Xeon E5-1660 v2
  • Intel Xeon E5-1650 v2
  • Intel Xeon E5-1620 v2
  • Intel Xeon E5-1607 v2
[adrotate group=”1″]

Next Page > Desktop CPUs With Buggy Intel Spectre Patches

 

Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!

Desktop CPUs With Buggy Intel Spectre Patches

Intel Coffee Lake-S (2017)

  • Intel Core i7-8700K
  • Intel Core i7-8700
  • Intel Core i5-8600K
  • Intel Core i5-8400
  • Intel Core i3-8350K
  • Intel Core i3-8100

Intel Kaby Lake-X (2017)

  • Intel Core i7-7740X
  • Intel Core i5-7640X

Intel Kaby Lake-S (2017)

  • Intel Core i7-7700K
  • Intel Core i7-7700
  • Intel Core i7-7700T
  • Intel Core i5-7600K
  • Intel Core i5-7600
  • Intel Core i5-7600T
  • Intel Core i5-7500
  • Intel Core i5-7500T
  • Intel Core i5-7400
  • Intel Core i5-7400T
  • Intel Core i3-7350K
  • Intel Core i3-7320
  • Intel Core i3-7300
  • Intel Core i3-7300T
  • Intel Core i3-7101T
  • Intel Core i3-7101TE
  • Intel Core i3-7100
  • Intel Core i3-7100T
  • Intel Pentium G4620
  • Intel Pentium G4600
  • Intel Pentium G4600T
  • Intel Pentium G4560
  • Intel Pentium G4560T
  • Intel Celeron G3950
  • Intel Celeron G3930
  • Intel Celeron G3930T
  • Intel Celeron G3930E
  • Intel Celeron G3930TE

Intel Skylake-X (2017)

  • Intel Core i9-7980XE
  • Intel Core i9-7960X
  • Intel Core i9-7940X
  • Intel Core i9-7920X
  • Intel Core i9-7900X
  • Intel Core i7-7820X
  • Intel Core i7-7800X

Intel Broadwell-E (2016)

  • Intel Core i7-6950X
  • Intel Core i7-6900K
  • Intel Core i7-6850X
  • Intel Core i7-6800X
[adrotate group=”1″]

Intel Broadwell-H (2015)

  • Intel Core i7-5775C
  • Intel Core i7-5775R
  • Intel Core i5-5675R
  • Intel Core i5-5675C
  • Intel Core i5-5575R

Intel Haswell-E (2014)

  • Intel Core i7-5960X
  • Intel Core i7-5930K
  • Intel Core i7-5820K

Intel Haswell-H (2013)

  • Intel Core i7-4770R
  • Intel Core i5-4670R
  • Intel Core i5-4570R

Intel Haswell-DT (2013)

  • Intel Core i7-4790K
  • Intel Core i7-4790
  • Intel Core i7-4790S
  • Intel Core i7-4790T
  • Intel Core i7-4785T
  • Intel Core i7-4771
  • Intel Core i7-4770K
  • Intel Core i7-4770
  • Intel Core i7-4770S
  • Intel Core i7-4770T
  • Intel Core i7-4770TE
  • Intel Core i7-4765T
  • Intel Core i5-4690K
  • Intel Core i5-4690
  • Intel Core i5-4690S
  • Intel Core i5-4690T
  • Intel Core i5-4670K
  • Intel Core i5-4670
  • Intel Core i5-4670S
  • Intel Core i5-4670T
  • Intel Core i5-4590
  • Intel Core i5-4590S
  • Intel Core i5-4590T
  • Intel Core i5-4570
  • Intel Core i5-4570S
  • Intel Core i5-4570T
  • Intel Core i5-4570TE
  • Intel Core i5-4460
  • Intel Core i5-4460S
  • Intel Core i5-4460T
  • Intel Core i5-4440
  • Intel Core i5-4440S
  • Intel Core i5-4430
  • Intel Core i5-4430S
  • Intel Core i3-4370
  • Intel Core i3-4370T
  • Intel Core i3-4360
  • Intel Core i3-4360T
  • Intel Core i3-4350
  • Intel Core i3-4350T
  • Intel Core i3-4340
  • Intel Core i3-4340TE
  • Intel Core i3-4330
  • Intel Core i3-4330T
  • Intel Core i3-4330TE
  • Intel Core i3-4170
  • Intel Core i3-4170T
  • Intel Core i3-4160
  • Intel Core i3-4160T
  • Intel Core i3-4150
  • Intel Core i3-4150T
  • Intel Core i3-4130
  • Intel Core i3-4130T
  • Intel Pentium G3470
  • Intel Pentium G3460
  • Intel Pentium G3460T
  • Intel Pentium G3450
  • Intel Pentium G3450T
  • Intel Pentium G3440
  • Intel Pentium G3440T
  • Intel Pentium G3430
  • Intel Pentium G3420
  • Intel Pentium G3420T
  • Intel Pentium G3320TE
  • Intel Pentium G3260
  • Intel Pentium G3260T
  • Intel Pentium G3258
  • Intel Pentium G3250
  • Intel Pentium G3250T
  • Intel Pentium G3240
  • Intel Pentium G3240T
  • Intel Pentium G3220
  • Intel Pentium G3220T
  • Intel Celeron G1850
  • Intel Celeron G1840
  • Intel Celeron G1840T
  • Intel Celeron G1830
  • Intel Celeron G1820
  • Intel Celeron G1820T
  • Intel Celeron G1820TE
[adrotate group=”1″]

Next Page > Mobile CPUs With Buggy Intel Spectre Patches

 

Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!

Mobile CPUs With Buggy Intel Spectre Patches

Intel Kaby Lake Refresh (2017)

  • Intel Core i7-8650U
  • Intel Core i7-8550U
  • Intel Core i5-8350U
  • Intel Core i5-8250U

Intel Kaby Lake-Y (2017)

  • Intel Core i5-Y757
  • Intel Core i5-Y754
  • Intel Core m3-7Y32
  • Intel Core m3-7Y30
  • Intel Pentium 4415Y
  • Intel Pentium 4410Y
  • Intel Celeron 3965Y

Intel Kaby Lake-U (2017)

  • Intel Core i7-7660U
  • Intel Core i7-7600U
  • Intel Core i7-7567U
  • Intel Core i7-7560U
  • Intel Core i7-7500U
  • Intel Core i5-7360U
  • Intel Core i5-7300U
  • Intel Core i5-7287U
  • Intel Core i5-7367U
  • Intel Core i5-7260U
  • Intel Core i5-7200U
  • Intel Core i3-7167U
  • Intel Core i3-7130U
  • Intel Core i3-7100U
  • Intel Pentium 4415U
  • Intel Celeron 3965U
  • Intel Celeron 3865U

Intel Kaby Lake-H (2016)

  • Intel Core i7-7920HQ
  • Intel Core i7-7820HQ
  • Intel Core i7-7820HK
  • Intel Core i7-7820EQ
  • Intel Core i7-7700HQ
  • Intel Core i7-7Y75
  • Intel Core i5-7442HQ
  • Intel Core i5-7442EQ
  • Intel Core i5-7440HQ
  • Intel Core i5-7440EQ
  • Intel Core i3-7102E
  • Intel Core i3-7100H
  • Intel Core i3-7100E

Intel Broadwell-H (2015)

  • Intel Core i7-5950HQ
  • Intel Core i7-5850HQ
  • Intel Core i7-5850EQ
  • Intel Core i7-5750HQ
  • Intel Core i7-5700HQ
  • Intel Core i7-5700EQ
  • Intel Core i5-5350H

Intel Broadwell-U (2015)

  • Intel Core i7-5650U
  • Intel Core i7-5600U
  • Intel Core i7-5557U
  • Intel Core i7-5550U
  • Intel Core i7-5500U
  • Intel Core i5-5350U
  • Intel Core i5-5300U
  • Intel Core i5-5287U
  • Intel Core i5-5257U
  • Intel Core i5-5250U
  • Intel Core i5-5200U
  • Intel Core i3-5157U
  • Intel Core i3-5020U
  • Intel Core i3-5015U
  • Intel Core i3-5010U
  • Intel Core i3-5005U
  • Intel Pentium 3825U
  • Intel Pentium 3805U
  • Intel Celeron 3765U
  • Intel Celeron 3755U
  • Intel Celeron 3215U
  • Intel Celeron 3205U
[adrotate group=”1″]

Intel Broadwell-Y (2014)

  • Intel Core M-5Y71
  • Intel Core M-5Y70
  • Intel Core M-5Y51
  • Intel Core M-5Y31
  • Intel Core M-5Y10c
  • Intel Core M-5Y10a
  • Intel Core M-5Y10

Intel Haswell-H (2013)

  • Intel Core i7-4980HQ
  • Intel Core i7-4960HQ
  • Intel Core i7-4950HQ
  • Intel Core i7-4870HQ
  • Intel Core i7-4860HQ
  • Intel Core i7-4860EQ
  • Intel Core i7-4850HQ
  • Intel Core i7-4850EQ
  • Intel Core i7-4770HQ
  • Intel Core i7-4760HQ
  • Intel Core i7-4750HQ
  • Intel Core i7-4722HQ
  • Intel Core i7-4720HQ
  • Intel Core i7-4712HQ
  • Intel Core i7-4710HQ
  • Intel Core i7-4702HQ
  • Intel Core i7-4702EC
  • Intel Core i7-4701EQ
  • Intel Core i7-4700HQ
  • Intel Core i7-4700MQ
  • Intel Core i7-4700EQ
  • Intel Core i7-4700EC
  • Intel Core i5-4422E
  • Intel Core i5-4410E
  • Intel Core i5-4402E
  • Intel Core i5-4402EC
  • Intel Core i5-4400E
  • Intel Core i5-4210H
  • Intel Core i5-4200H
  • Intel Core i3-4112E
  • Intel Core i3-4110E
  • Intel Core i3-4102E
  • Intel Core i3-4100E

Intel Haswell-ULX (2013)

  • Intel Core i7-4610Y
  • Intel Core i5-4302Y
  • Intel Core i5-4300Y
  • Intel Core i5-4220Y
  • Intel Core i5-4210Y
  • Intel Core i5-4202Y
  • Intel Core i3-4030Y
  • Intel Core i3-4020Y
  • Intel Core i3-4012Y
  • Intel Core i3-4010Y
  • Intel Pentium 3561Y
  • Intel Pentium 3560Y
  • Intel Celeron 2002E
  • Intel Celeron 2000E

Intel Haswell-ULX (2013)

  • Intel Celeron 2961Y

Intel Haswell-ULT (2013)

  • Intel Core i7-4650U
  • Intel Core i7-4600U
  • Intel Core i7-4578U
  • Intel Core i7-4558U
  • Intel Core i7-4550U
  • Intel Core i7-4510U
  • Intel Core i7-4500U
  • Intel Core i5-4360U
  • Intel Core i5-4360U
  • Intel Core i5-4310U
  • Intel Core i5-4308U
  • Intel Core i5-4300U
  • Intel Core i5-4288U
  • Intel Core i5-4280U
  • Intel Core i5-4278U
  • Intel Core i5-4258U
  • Intel Core i5-4250U
  • Intel Core i5-4210U
  • Intel Core i5-4200U
  • Intel Core i3-4158U
  • Intel Core i3-4120U
  • Intel Core i3-4100U
  • Intel Core i3-4030U
  • Intel Core i3-4025U
  • Intel Core i3-4010U
  • Intel Core i3-4005U
  • Intel Pentium 3558U
  • Intel Pentium 3556U
  • Intel Celeron 2981U
  • Intel Celeron 2980U
  • Intel Celeron 2957U
  • Intel Celeron 2955U

Intel Haswell-MB (2013)

  • Intel Core i7-4940MX
  • Intel Core i7-4930MX
  • Intel Core i7-4910MQ
  • Intel Core i7-4900MQ
  • Intel Core i7-4810MQ
  • Intel Core i7-4800MQ
  • Intel Core i7-4712MQ
  • Intel Core i7-4710MQ
  • Intel Core i7-4702MQ
  • Intel Core i7-4610M
  • Intel Core i7-4600M
  • Intel Core i5-4340M
  • Intel Core i5-4330M
  • Intel Core i5-4310M
  • Intel Core i5-4300M
  • Intel Core i5-4210M
  • Intel Core i5-4200M
  • Intel Core i3-4110M
  • Intel Core i3-4100M
  • Intel Core i3-4010M
  • Intel Core i3-4000M
  • Intel Pentium 3560M
  • Intel Pentium 3550M
  • Intel Celeron 2970M
  • Intel Celeron 2950M

 

Meltdown + Spectre Reading Suggestions

[adrotate group=”2″]

Go Back To > First Page | Articles | Home

 

Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!

The Complete AMD Spectre Mitigation Strategy Guide Rev. 2.0

Intel have been rushing out their Meltdown and Spectre patches (with some unfortunate side effects), but what about AMD? We present to you – The AMD Spectre Mitigation Strategy Guide!

Article Update History

Click here for the Article Update History

Updated @ 2018-02-28 : Added a new page on the AMD Spectre 2 hardware mitigation options.

Originally posted @ 2018-02-01

 

Only Spectre

Now that the dust has settled, we know that AMD processors are completely invulnerable to Meltdown, but are vulnerable to both Spectre exploits. Therefore, AMD only needs to mitigate against the two Spectre exploits.

  • Variant 1 : Bounds Check Bypass (CVE-2017-5753)
  • Variant 2 : Branch Target Injection (CVE-2017-5715)

 

AMD Spectre Mitigation Overview

GPZ Variant 1 (Spectre 1)

In the Spectre 1 (GPZ Variant 1) exploit, a malware can make use of the processor’s speculative execution capability to bypass the memory bounds check, thereby accessing memory that it did not have permission for.

AMD is recommending software-only solutions for Spectre 1, which include operating system kernels, JIT (Just In Time) compilers, browsers and other user applications.

AMD recommends the V1-1 (lfence) software solution for the GPZ Variant 1 (Spectre 1) exploit.

GPZ Variant 2 (Spectre 2)

In the Spectre 2 (GPZ Variant 2) exploit, a malware may trick the CPU branch predictor into mis-predicting the wrong path, thereby speculatively executing code that would not otherwise be executed.

AMD offers both software-only, and software + hardware mitigations, for Spectre 2.

AMD recommends the V2-1 (retpoline) option for the GPZ Variant 2 (Spectre 2) exploit.

 

The AMD Spectre Mitigation Options

AMD has so far offered 11 Spectre mitigation options, divided into three categories :

 

Meltdown + Spectre Reading Suggestions

[adrotate group=”2″]

 

AMD Spectre 1 + 2 Mitigation Options

AMD Spectre Mitigation G-1

Target : Spectre 1 and Spectre 2

Technique : Clear out untrusted data from registers (e.g. write 0) when entering more privileged modes, or sensitive code.

Effect : By removing untrusted data from registers, the CPU will not be able to speculatively execute operations using the values in those registers.

Applicability : All AMD processors.

Note : Instructions that cause the machine to temporarily stop inserting new instructions into the machine for execution and wait for execution of older instructions to nish are referred to as dispatch serializing instructions.

 

AMD Spectre Mitigation G-2

Target : Spectre 1 and Spectre 2

Technique : Set an MSR in the processor so that LFENCE is a dispatch serializing instruction and then use LFENCE in code streams to serialize dispatch (LFENCE is faster than RDTSCP which is also dispatch serializing). This mode of LFENCE may be enabled by setting MSR C001_1029[1]=1.

Effect : Upon encountering an LFENCE when the MSR bit is set, dispatch will stop until the LFENCE instruction becomes the oldest instruction in the machine.

Applicability : All AMD family 10h/12h/14h/15h/16h/17h processors support this MSR. LFENCE support is indicated by CPUID function1 EDX bit 26, SSE2. AMD family 0Fh/11h processors support LFENCE as serializing always, but do not support this MSR. AMD plans support for this MSR and access to this bit for all future processors.

 

AMD Spectre Mitigation G-3

Target : Spectre 1 and Spectre 2

Technique : Enable Supervisor Mode Execution Protection (SMEP).

Effect : The processor will never speculatively fetch instruction bytes in supervisor mode if the RIP address points to a user page. This prevents the attacker from redirecting the kernel indirect branch to a target in user code.

Applicability : All AMD processors that support SMEP (Family 17h, Family 15h model >60h)

Note : The load-store unit is a key area for controlling speculation because information leakage comes from the residual nature of cache lines after a speculative fill.

 

AMD Spectre Mitigation G-4

Target : Spectre 1 and Spectre 2

Technique : Enable SMAP (Supervisor Mode Access Protection)

Effect : The processor will never initiate a fill if the translation has a SMAP violation (kernel accessing user memory). This can prevent the kernel from bringing in user data cache lines. With SMEP and SMAP enabled the attacker must nd an indirect branch to attack in the area marked by SMAP that is allowed to access user marked memory.

Applicability : All AMD processors that support SMAP ( family 17h and greater)

Next Page > Separate AMD Spectre 1 + Spectre 2 Mitigations

 

Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!

AMD Spectre 1 Mitigation Options

AMD Spectre Mitigation V1-1

Target : Spectre 1 only

Technique : With LFENCE serializing, use it to control speculation for bounds checking. For instance, consider the following code:

1:  cmp eax, [buffer_top]    ; compare eax (index) to upper bound

2:  ja out_of_bounds          ; if greater, index is too big

3:  mov ebx, [eax]              ; read buffer

In this code, the CPU can speculative execute instruction 3 (mov) if it mispredicts the branch at 2 (ja). If this is undesirable, software should implement:

1:  cmp eax, [buffer_top]    ; compare eax (index) to upper bound

2:  ja out_of_bounds          ; if greater, index is too big

3:  lfence                             ; serializes dispatch until branch

4:  mov ebx, [eax]              ; read buffer

Effect : In the second code sequence, the processor cannot execute op 4 because dispatch is stalled until the branch target is known.

Applicability : All AMD processors.

 

AMD Spectre Mitigation V1-2

Target : Spectre 1 only

Technique : Create a data dependency on the outcome of a compare to avoid speculatively executing instructions in the false path of the branch. For instance, consider the following code:

1:  cmp eax, [buffer_top]    ; compare eax (index) to upper bound

2:  ja out_of_bounds          ; if greater, index is too big

3:  mov ebx, [eax]              ; read buffer

In this code, the CPU can speculative execute instruction 3 (mov) if it mispredicts the branch at 2 (ja). If this is undesirable, software should implement:

1:  xor edx, edx

2:  cmp eax, [buffer_top]    ; compare eax (index) to upper bound

3:  ja out_of_bounds            ; if greater, index is too big

4:  cmova eax, edx              ; NEW: dummy conditional mov

5:  mov ebx, [eax]               ; read buffer

Effect : In the second code sequence, the processor cannot execute op 4 (cmova) because the ags are not available until after instruction 2 (cmp) nishes executing. Because op 4 cannot execute, op 5 (mov) cannot execute since no address is available.

Applicability : All AMD processors.

 

AMD Spectre Mitigation V1-3

Target : Spectre 1 only

Technique : Create a data dependency on the outcome of a compare to mask the array index to keep it within bounds. For instance, consider the following code:

1:  cmp eax, [buffer_top]    ; compare eax (index) to upper bound

2:  ja out_of_bounds            ; if greater, index is too big

3:  mov ebx, [eax]                ; read buffer

In this code, the CPU can speculative execute instruction 3 (mov) if it mispredicts the branch at 2 (ja). If this is undesirable, software should implement:

1:  cmp eax, [buffer_top]    ; compare eax (index) to upper bound

2:  ja out_of_bounds           ; if greater, index is too big

3:  and eax, $MASK            ; NEW: Mask array index

4:  mov ebx, [eax]              ; read buffer

Effect : In the second code sequence, the processor will mask the array index before the memory load constraining the range of addresses that can be speculatively loaded. For performance it is best if $MASK is an immediate value.

Applicability : All AMD processors. This mitigation works best for arrays that are power-of-2 sizes but can be used in all cases to limit the range of addresses that can be loaded.

Note : In the case of RET instructions, RIP values are predicted using a special hardware structure that tracks CALL and RET instructions called the return stack bu er. Other indirect branches (JMP, CALL) are predicted using a branch target bu er (BTB) structure. While the mechanism and structure of this buffer varies significantly across AMD processors, branch predictions in these structures can be controlled with software changes to mitigate variant 2 attacks.

[adrotate group=”1″]

 

AMD Spectre 2 Mitigation Options

AMD Spectre Mitigation V2-1

Target : Spectre 2 only

Technique : Convert indirect branches into a “retpoline”. Retpoline sequences are a software construct which allows indirect branches to be isolated from speculative execution. It uses properties of the return stack bu er (RSB) to control speculation. The RSB can be lled with safe targets on entry to a privileged mode and is per thread for SMT processors. So instead of

1: jmp *[eax] ; jump to address pointed to by EAX2:

To this:

1: call l5 ; keep return stack balanced

l2: pause ; keep speculation to a minimum

3:  lfence

4:  jmp l2

l5: add rsp, 8 ; assumes 64 bit stack

6:  push [eax] ; put true target on stack

7:  ret

and this 1: call *[eax] ;

To this:

1: jmp l9

l2:  call l6          ; keep return stack balanced

l3:  pause

4:  lfence           ; keep speculation to a minimum

5:  jmp l3

l6: add rsp, 8    ; assumes 64 bit stack

7:  push [eax]    ; put true target on stack

8:  ret

L9: call l2

Effect : This sequence controls the processor’s speculation to a safe known point. The performance impact is likely greater than V2-2 but more portable across the x86 architecture. Care needs to be taken for use outside of privileged mode where the RSB was not cleared on entry or the sequence can be interrupted. AMD processors do not put RET based predictions in BTB type structures.

Applicability : All AMD processors.

 

AMD Spectre Mitigation V2-2

Target : Spectre 2 only

Technique : Convert an indirect branch into a dispatch serializing instruction sequence where the load has nished before the branch is dispatched. For instance, change this code:

1: jmp *[eax]    ; jump to address pointed to by EAX2:

To this:

1:  mov eax, [eax]    ; load target address

2:  lfence                  ; dispatch serializing instruction

3:  jmp *eax

Effect : The processor will stop dispatching instructions until all older instructions have returned their results and are capable of being retired by the processor. At this point the branch target will be in the general purpose register (eax in this example) and available at dispatch for execution such that the speculative execution window is not large enough to be exploited.

Applicability : All AMD processors. AMD plans that this sequence will continue to work on future processors until support for other architectural means to control indirect branches are introduced.

 

AMD Spectre Mitigation V2-3

Target : Spectre 2 only

Technique : Execute a series of CALL instructions upon entering more privileged code to ll up the return address predictor.

Effect : The processor will only predict RET targets to the RIP values in the return address predictor, thus preventing attacker controlled RIP values from being predicted.

Applicability : All AMD processors. The size of the return address predictor varies by processor, all current AMD processors have a return address predictor with 32 entries or less. Future processors that have more than 32 RSB entries are planned to be architected to not require software intervention.

 

AMD Spectre Mitigation V2-4

Target : Spectre 2 only

Technique : An architectural mechanism, Indirect Branch Control (IBC), is being added to the x86 ISA to help software control branch prediction of jmp near indirect and call near indirect instructions. It consists of 3 features: Indirect Branch Prediction Barrier (IBPB), Indirect Branch Restricted Speculation (IBRS) and Single Thread Indirect Branch Predictors (STIBP).

Effect : These features give software another mechanism through architectural MSRs to provide mitigation for different variant 2 exploits.

IBPB – Places a barrier such that indirect branch predictions from earlier execution cannot in uence execution after the barrier.
IBRS – Restricts indirect branch speculation when set.
STIBP – Provides sibling thread protection on processors that require sibling indirect branch prediction protection

Applicability : As a new feature, these mechanism are available in only a limited number of current AMD processors and require a microcode patch. These 3 features are individually enumerated through CPUID and all processors do not support all features. These features also require software updates to write the MSR where appropriate.

Note : After a RIP value is predicted, the new RIP value is sent through a TLB and table walker pipeline before instruction bytes can be fetched and sent for execution.

Next Page > AMD Spectre 2 Hardware Mitigations

 

Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!

AMD Spectre 2 Hardware Mitigation Options

On 7 February, AMD revealed three AMD64 mechanisms to mitigate against Spectre 2 (indirect branch target injection). They are designed to increase control of indirect branches, and identified by CPU ID bits.

Feature AMD Version (CPUID Function) MSR Exist
Indirect Branch Prediction Barrier (IBPB) 8000_0008 EBX[12]=1 PRED_CMD (MSR 49)
Indirect Branch Restricted Speculation (IBRS) 8000_0008 EBX[14]=1 SPEC_CTRL (MSR 48)
Single Thread Indirect Branch Prediction (STIBP) 8000_0008 EBX[15]=1 SPEC_CTRL (MSR 48)

 

AMD IBPB Hardware Mitigation

Target : Spectre 2 only

Technique : This is a write-only MSR (model-specific register) that, when written with a 0, prevents older indirect branches from influencing predictions of indirect branches in the future. This applies to jmp indirects, call indirects and returns.

As this feature prevents the processor from using all previous indirect branch information, it is meant to be used only when a software switches from one user context to another that requires protection.

CPUID Function 8000_0008, EBX[16]=1 indicates an IBRS always on mode. The processor prefers that IBRS is only set once during boot and not changed.

If IBRS is set on a processor supporting IBRS always on mode, indirect branches executed in a less privileged prediction mode will not influence branch predictions for indirect branches in a more privileged prediction mode.

This also reduces the performance impact of the WRMSR (Write to Model Specific Register) on less privileged to more privileged entry point and the WRMSR on more privileged to less privileged exit points.

 

AMD IBRS Hardware Mitigation

Target : Spectre 2 only

Technique : Indirect Branch Restricted Speculation (IBRS) exists at MSR 0x48 (SPEC_CTRL) bit 0.

When this bit is set, it keeps indirect branches that occurred in a lesser prediction mode from before it was set from influencing the future indirect branches that are going to execute now while IBRS is 1. A lesser prediction mode is CPL 3 vs CPL[2-0] and Guest vs Host mode.

If software clears IBRS, it is now allowed for the older indirect branches that occurred when IBRS was 0 to be used to influence the indirect branches.

It is also possible that while IBRS is 1, another write of 1 to IBRS bit 0 occurs. This starts a new window where older indirect branches should not influence future indirect branches.

Therefore if IBRS were set in a lesser privilege mode, on a transition to a more privileged mode the more privileged mode would have to set IBRS to 1 to indicate to hardware that it wants branches in the more privileged mode separated from those in the lesser privileged mode with IBRS set.

On processors with a shared indirect branch predictor, IBRS being set provides protection from being influenced by a sibling thread’s indirect branch predictions. For the ret type of indirect branch, software is responsible for clearing out the return stack buffer with 32 calls that have a non-zero target.

Processors that support more than 32 RSB (Return Stack Buffer) entries will be responsible for clearing the extra RSB entries. Clearing out the return stack buffer maybe required on the transition from CPL3 to CPL0, even if the OS has SMEP enabled.

CPUID Function 8000_0008, EBX[18]=1 indicates that the processor prefers using the IBRS feature instead of other software mitigations such as retpoline. This allows software to remove the software mitigation and utilize the better performing IBRS mechanism.

[adrotate group=”1″]

 

AMD STIBP Hardware Mitigation

Target : Spectre 2 only

Technique : The Single Thread Indirect Branch Predictor (STIBP) exists at MSR 0x48 (SPEC_CTRL) bit 1.

When this bit is set in processors that share branch prediction information, indirect branch predictions from sibling threads cannot influence the predictions of other sibling threads. Return instructions are always immune to influence by the other thread and do not require this bit to be set for protection.

Any attempt to write SPEC_CTRL bits 63:2 results in general protection fault (GP fault). If a processor only supports STIBP (bit 1) for ease of software implementation, the processor does not GP fault attempts to write bit 0. In a similar manner, if a processor only supports IBRS, attempts to set STIBP do not GP fault.

Both SPEC_CTRL and PRED_CMD are not architecturally serializing WRMSRs. They are still execution serializing and prevent any execution of future instructions until they have completed.

CPUID Function 8000_0008, EBX[17]=1 indicates an STIBP always on mode. The processor prefers that STIBP is only set once during boot and not changed. This reduces the performance impact of the WRMSR (Write to Model Specific Register) at the necessary toggle points.

Go Back To > First PageGuides | Home

 

Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!

The Microsoft Spectre + Meltdown Patch Schedule Rev. 2.0

Ever since the Meltdown and Spectre exploits were exposed, Microsoft has been working overtime to patch Windows against them. Unfortunately, they were quite secretive about their Spectre and Meltdown patch list and schedule. We usually only find out when something bad happens, like when some patches bricked AMD systems.

They changed that stance recently, quietly releasing their Windows Spectre and Meltdown patch schedule. This schedule listed the patches they have released so far, or are about to release. For your convenience, we have divided and sorted them according to the applicable Windows version.

Please note that the current Microsoft Spectre and Meltdown patch schedule covers the January and February 2018. We will update the schedule as and when Microsoft releases them.

Article Update History

Click here for the Article Update History

Updated @ 2018-02-22 : Added the late January and early February 2018 Spectre and Meltdown patch schedule for Windows 10 and Windows Server 2016.

Originally posted @ 2018-01-24

 

The Spectre + Meltdown Patch Schedule For Windows 10

Update Title Status Release Date Release Channel Knowledge Base
Windows 10 (1703) – Quality Update Released February 13 WU, WSUS, Catalog KB4074592
Windows 10 (1607) – Quality Update Released February 13 WU, WSUS, Catalog KB4074590
Windows 10 (1511) – Quality Update Released February 13 WU, WSUS, Catalog KB4074591
Windows 10 (RTM) – Quality Update Released February 13 WU, WSUS, Catalog KB4074596
Windows 10 (1709) – Quality Update Released January 31 WU, Catalog KB4058258
Windows 10 (1709) – Quality Update Released January 3 WU, WSUS, Catalog, Azure Image Gallery KB4056892 *
Windows 10 (1703) – Quality Update Released January 3 WU, WSUS, Catalog KB4056891 *
Windows 10 (1607) – Quality Update Released January 3 WU, WSUS, Catalog KB4056890
Windows 10 (1511) – Quality Update Released January 3 WU, WSUS, Catalog KB4056888 *
Windows 10 (RTM) – Quality Update Released January 3 WU, WSUS, Catalog KB4056893 *

* KB4056888, KB4056890, KB4056891, KB4056892, KB4056893 can brick some AMD PCs.

 

The Spectre + Meltdown Patch Schedule For Windows Server 2016

Update Title Status Release Date Release Channel Knowledge Base
Windows Server 2016 (1607) – Container Images Released February 13 Docker Hub KB4074590
Windows Server 2016 (1607) – Quality Update Released February 13 WU, WSUS, Catalog KB4074590
Windows Server 2016 (1709) – Server container Released February 13 Docker Hub KB4074588
Windows Server 2016 (1709) – Quality Update Released January 31 WU, Catalog KB4058258
Windows Server 2016 (1709) – Quality Update Released January 3 WU, WSUS, Catalog, Azure Image Gallery KB4056892 *
Windows Server 2016 (1709) – Server container Released January 5 Docker Hub KB4056892 *
Windows Server 2016 (1607) – Quality Update Released January 3 WU, WSUS, Catalog KB4056890 *
Windows Server 2016 (1607) – Container Images Released January 4 Docker Hub KB4056890 *

* KB4056890, KB4056892 can brick some AMD PCs.

 

The Spectre + Meltdown Patch Schedule For Windows 10 Mobile

Update Title Status Release Date Release Channel Knowledge Base
Windows 10 Mobile (OS Build 15254.192) – ARM Released January 5 WU, Catalog KB4073117
Windows 10 Mobile (OS Build 15063.850) Released January 5 WU, Catalog KB4056891
Windows 10 Mobile (OS Build 14393.2007) Released January 5 WU, Catalog KB4056890

 

The Spectre + Meltdown Patch Schedule For Windows 10 IoT Core

Update Title Status Release Date Release Channel Knowledge Base
Windows 10 IoT Core (1703) – Quality Update Released February 13 WU, WSUS, Catalog KB4074592
Windows 10 IoT Core (1607) – Quality Update Released February 13 WU, WSUS, Catalog KB4074590
Windows 10 IoT Core (1511) – Quality Update Released February 13 WU, WSUS, Catalog KB4074591
Windows 10 IoT Core (1709) – Quality Update Released January 31 WU, Catalog KB4058258
Windows 10 IoT Core (1709) – Quality Update Released January 3 WU, WSUS, Catalog, Azure Image Gallery KB4056892 *
Windows 10 IoT Core (1703) – Quality Update Released January 3 WU, WSUS, Catalog KB4056891 *
Windows 10 IoT Core (1607) – Quality Update Released January 3 WU, WSUS, Catalog KB4056890 *
Windows 10 IoT Core (1511) – Quality Update Released January 3 WU, WSUS, Catalog KB4056888 *

* KB4056888, KB4056890, KB4056891, KB4056892 can brick some AMD PCs.

 

The Spectre + Meltdown Patch Schedule For Windows 10 HoloLens

Update Title Status Release Date Release Channel Knowledge Base
Windows 10 HoloLens – OS and Firmware Updates Released February 13 WU, Catalog KB4074590
Windows 10 HoloLens Released January 5 WU, Catalog KB4056890 *

* KB4056890 can brick some AMD PCs.

[adrotate group=”1″]

 

The Spectre + Meltdown Patch Schedule For Windows 8 & 8.1

Update Title Status Release Date Release Channel Knowledge Base
Windows 8.1 – Security Only Update Released January 3 WSUS, Catalog KB4056898 *
Windows Embedded 8.1 Industry Enterprise Released January 3 WSUS, Catalog KB4056898 *
Windows Embedded 8.1 Industry Pro Released January 3 WSUS, Catalog KB4056898 *
Windows Embedded 8.1 Pro Released January 3 WSUS, Catalog KB4056898 *
Internet Explorer 11-Cumulative Update for Windows 8.1 Released January 3 WU, WSUS, Catalog KB4056894 *
Windows 8.1 Monthly Rollup Released January 8 WU, WSUS, Catalog KB4056895 *
Windows Embedded 8.1 Industry Enterprise Released January 8 WU, WSUS, Catalog KB4056895 *
Windows Embedded 8.1 Industry Pro Released January 8 WU, WSUS, Catalog KB4056895 *
Windows Embedded 8.1 Pro Released January 8 WU, WSUS, Catalog KB4056895 *
Windows Embedded 8 Standard Coming

* KB4056894, KB4056895, KB4056898 can brick some AMD PCs.

 

The Spectre + Meltdown Patch Schedule For Windows Server 2012

Update Title Status Release Date Release Channel Knowledge Base
Windows Server 2012 R2 – Security Only Update Released January 3 WSUS, Catalog KB4056898 *
Windows Server 2012 R2 Monthly Rollup Released January 8 WU, WSUS, Catalog KB4056895 *
Windows Server 2012 Security Only Coming WSUS, Catalog
Windows Server 2012 Monthly Rollup Coming WU, WSUS, Catalog

* KB4056895, KB4056898 can brick some AMD PCs.

 

The Spectre + Meltdown Patch Schedule For Windows Server 2008

Update Title Status Release Date Release Channel Knowledge Base
Windows Server 2008 R2 SP1 – Security Only Update Released January 3 WSUS, Catalog KB4056897 *
Windows Server 2008 R2 SP1 Monthly Rollup Released January 4 WU, WSUS, Catalog KB4056894 *
Windows Server 2008 SP2 Coming WU, WSUS, Catalog

* KB4056897, KB4056894 can brick some AMD PCs.

 

The Spectre + Meltdown Patch Schedule For Windows 7

Update Title Status Release Date Release Channel Knowledge Base
Windows 7 SP1 – Security Only Update Released January 3 WSUS, Catalog KB4056897 *
Windows Embedded Standard 7 Released January 3 WSUS, Catalog KB4056897 *
Windows Embedded POSReady 7 Released January 3 WSUS, Catalog KB4056897 *
Windows Thin PC Released January 3 WSUS, Catalog KB4056897 *
Internet Explorer 11-Cumulative Update for Windows 7 SP1 Released January 3 WU, WSUS, Catalog KB4056894 *
Windows 7 SP1 Monthly Rollup Released January 4 WU, WSUS, Catalog KB4056894 *
Windows Embedded Standard 7 Released January 4 WU, WSUS, Catalog KB4056894 *
Windows Embedded POSReady 7 Released January 4 WU, WSUS, Catalog KB4056894 *
Windows Thin PC Released January 4 WU, WSUS, Catalog KB4056894 *

* KB4056897, KB4056894 can brick some AMD PCs.

 

Meltdown + Spectre Reading Suggestions

[adrotate group=”2″]

Go Back To > Guides | Home

 

Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!

AMD CPUs Are Also Vulnerable To Spectre 2 Exploit Rev. 2.0

AMD updated their security advisory, confirming that their CPUs are also vulnerable to the Spectre 2 exploit. We updated our article Everything On The Intel, AMD & ARM CPU Bug, but it looks like many AMD fanboys still insist that AMD processors are only affected by Spectre 1. So let us burst their bubble and update them on what AMD actually said about this “issue”.

Updated @ 2018-01-15 : Added two new sections addressing the criticisms of the AMD and Intel fanboys.

Originally posted @ 2018-01-13

 

AMD CPUs Are Also Vulnerable To Spectre 2 Exploit

When AMD first released their security advisory on the Meltdown and Spectre exploits, they stated that, “Differences in AMD architecture mean there is a near zero risk of exploitation of this variant.

Just over a week later, on 11 January 2018, Mark Papermaster, AMD Senior Vice President and Chief Technology Officer, posted an update of their assessment, stating that “GPZ Variant 2 (Branch Target Injection or Spectre) is applicable to AMD processors.

He clarified that while AMD believes that their “processor architectures make it difficult to exploit Variant 2“, they have defined “a combination of processor microcode updates and OS patches” to mitigate the Spectre 2 threat.

You can read more about the Spectre and Meltdown exploits in Everything On The Intel, AMD & ARM CPU Bug.

 

Why Is Spectre 2 Important?

This development is significant, because Spectre 2 is the more problematic exploit of the two. Mainly because any efforts to reduce its risks significantly reduces performance.

According to Microsoft, only Spectre 2 mitigation patches have a significant performance impact. Their initial performance tests show that Spectre 1 and Meltdown mitigation patches have minimal or small performance impact, and are unlikely to be noticed by users.

 

What Is AMD Doing About Spectre 2?

AMD has already defined the “additional steps” that consists of processor microcode updates and operating system patches that will mitigate the threat of Spectre 2 to their affected processors.

They will make the microcode updates available for the Ryzen and EPYC processors this week, with microcode updates for older processors in the coming weeks.

Notably, Mark said that they would be OPTIONAL. This ties in with their assessment that it would be difficult (albeit not impossible) to exploit Variant 2 in an AMD processor. So AMD users will get the option of NOT applying these microcode updates, at least while no actual Spectre threat exists in the real world.

Linux vendors have started to roll out Spectre 2 patches, while Microsoft will be releasing Spectre 2 patches for Windows shortly.

 

AMD Fanboys Are Missing The Big Picture

Many AMD fanboys say that we are biased against AMD, because that the risk of a Spectre 2 exploit is small or “virtually non-existent”.

We love the AMD Ryzen just like you do, and find their performance-value proposition incredibly refreshing. In fact, we even wrote an article crediting The Ryzen Effect for creating better Intel processors.

What we reported is no different from the official statement by Mark Papermaster – the AMD CPUs are vulnerable to Spectre 2. But you are all missing the big picture.

[adrotate group=”2″]

The point here isn’t to rub our collective noses in some kind of childish Intel vs. AMD fanboy war, it’s to point out that these Spectre 2 patches will have a significant performance impact.

Because there is no real world exploit of both Meltdown and Spectre, and because AMD’s microarchitecture is more robust against the Spectre 2 vulnerability, there is arguably no real need to apply the Spectre 2 patches.

That’s why we specifically pointed out that “Mark said that they would be OPTIONAL“, so you should have the option of “NOT applying these microcode updates“.

You guys would have realised that if you actually read the article, instead of just stopping at the title.

 

Intel Fanboys Should Stop Throwing Stones

Some Intel fanboys are using this article as evidence that “AMD got caught lying” or “AMD CPUs are just as bad”. Well, let us address those claims.

  1. AMD did not lie – In their original disclosure, they stated very clearly that “there is a near zero risk” of a Spectre 2 exploit working on an AMD CPU. We specifically mentioned and underlined that in the original article to stress that AMD was already aware that their CPUs are somewhat vulnerable to Spectre 2.
  2. AMD CPUs are far less at risk – Even with this upgraded risk assessment, AMD CPUs are still much less vulnerable to Spectre 2 than Intel CPUs, and they are completely impervious to the Meltdown exploit. Because they are less vulnerable, AMD users have the option of not applying Spectre 2 patches that can have a significant performance impact.

 

Meltdown + Spectre Reading Suggestions

Go Back To > Articles | Home

 

Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!

Pre-2016 Intel CPUs Hit Worst By Meltdown + Spectre Fix

Microsoft just revealed that pre-2016 Intel CPUs will be hit worst by the Meltdown and Spectre patches. They also pointed out that the performance impact detailed in benchmarks published so far did not include both operating system and silicon updates, and are therefore, inaccurate.

Microsoft is still working on their own set of benchmarks that will look at the performance impact after both operating system and silicon updates have been applied. In the meantime, Terry Myerson, Executive Vice President of the Windows and Devices Group, shared some preliminary findings.

 

Performance Impact Of The Meltdown + Spectre Patches

According to Terry, the patches for Variant 1 (Spectre 1) and Variant 3 (Meltdown) of the speculative execution bug have minimal performance impact.

It is the Variant 2 (Spectre 2) patches, both operating system and silicon microcode, that have a significant performance impact.

Here is a summary of what Microsoft has found so far :

Windows 10 With 2016 Or Newer Intel CPUs

Intel CPU Models : Intel Skylake, Intel Kaby Lake, Intel Coffee Lake

Performance Impact : Single digit reduction in performance. Microsoft does not expect most users to notice the impact, because the percentages are “reflected in milliseconds“.

Windows 10 With Pre-2016 Intel CPUs

Intel CPU Models : Intel Broadwell, Intel Haswell, Intel Ivy Bridge, Intel Sandy Bridge, or older.

Performance Impact : Significant slowdowns in some benchmarks. Microsoft expects some users to notice the decrease in performance.

Windows 8 and Windows 7 With Pre-2016 Intel CPUs

Intel CPU Models : Intel Broadwell, Intel Haswell, Intel Ivy Bridge, Intel Sandy Bridge, or older.

Performance Impact : Significant slowdowns. Microsoft expects most users to notice the decrease in performance.

Windows Server On Any Intel CPU

Performance Impact : Significant slowdowns in any IO-intensive application.

 

Why The Difference In Performance Impact?

In the newer Intel processors (from the 2016 Skylake onwards), Intel refined the instructions used to disable branch speculation to be more specific to indirect branches. This reduces the performance impact of Spectre mitigation patches.

There is a larger performance impact with Windows 8 and Windows 7 because they have more user-kernel transitions. For example, all font rendering takes place in the kernel.

 

What Should You Do?

If you are using a newer Intel CPU like the Core i7-8700K with Windows 10, you can rest easy knowing that the performance impact of the Meltdown and Spectre patches to be minimal.

If you are using a newer Intel CPU with an older operating system like Windows 8 or Windows 7, you should consider upgrading to Windows 10. This would reduce the performance impact of the Meltdown and Spectre patches.

[adrotate group=”2″]

If you are using a pre-2016 Intel CPU with Windows 10, there is nothing much you can do except consider upgrading to a newer processor. You could possibly live with the performance impact of the Meltdown and Spectre patches.

If you are using a pre-2016 Intel CPU with an older operating system like Windows 8 or Windows 7, you can try upgrading to Windows 10 to reduce the performance impact of the Meltdown and Spectre patches.

If you are managing a Windows Server that uses Intel CPUs, you will need to balance the risk of leaving each Windows Server instance unprotected, against the significant performance impact of protecting it against Meltdown and Spectre.

 

Meltdown + Spectre Reading Suggestions

Go Back To > Articles | Home

 

Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!