Video: Intel addresses Meltdown and Spectre security flaws at CES 2018
Meltdown-Spectre
Intel says the unexpected reboots triggered by patching older chips affected by Meltdown and Spectre are happening to its newer chips, too.
Intel confirmed in an update late Wednesday that not only are its older Broadwell and Haswell chips tripping up on the firmware patches, but newer CPUs through to the latest Kaby Lake chips are too.
The firmware updates do protect Intel chips against potential Spectre attacks, but machines with Ivy Bridge, Sandy Bridge, Skylake, and Kaby Lake architecture processors are rebooting more frequently once the firmware has been updated, Intel said.
Intel has also updated its original Meltdown-Spectre advisory with a new warning about the stability issues and recommends OEMs and cloud providers test its beta silicon microcode updates before final release. These beta releases, which mitigate the Spectre Variant 2 CVE-2017-5715 attack on CPU speculative execution, will be available next week.
"Intel recommends that these partners, at their discretion, continue development and release of updates with existing microcode to provide protection against these exploits, understanding that the current versions may introduce issues such as reboot in some configurations," the company wrote.
"We further recommend that OEMs, Cloud service providers, system manufacturers and software vendors begin evaluation of Intel beta microcode update releases in anticipation of definitive root cause and subsequent production releases suitable for end users".
Intel says workloads with more user/kernel privilege changes and which spend a lot of time in privileged mode are more adversely impacted.
Despite the stability issues, Intel has told OEMs not to withdraw the already released updates for end users.
However, it warned IT admins at datacenters to proceed with caution: "Evaluate potential impacts from the reboot issue and make decisions based on the security profile of the infrastructure".
See also: Cybersecurity in 2018: A roundup of predictions
Navin Shenoy, Intel's EVP and GM of the datacenter group, has also released test data on the performance impact of the firmware updates on servers running its latest Skylake-based server Xeon Scalable systems.
On "common workloads" in the enterprise and cloud, Intel has seen an impact of zero to two percent, while it had a four percent impact on a simulated brokerage firm's customer-broker-stock exchange transaction system.
There is a large variance in the fix's impact on data-storage systems depending on CPU utilization and other factors, such as the read-write mix, block size, and drives.
On one benchmark at full CPU utilization, Intel found an 18 percent decrease in throughput performance, while on a 73/30 read/write model there was only a two percent hit on throughput performance.
Shenoy highlighted Google's software-based Retpoline fix for the Variant 2 attack as another mitigation that "could yield less impact".
Google last week urged the whole industry to adopt Retpoline because it mitigated the attack but had almost no negative performance impact on current hardware.
"Retpoline fully protects against Variant 2 without impacting customer performance on all our platforms," a Google executive said.
Google's fix isn't a patch that consumers would apply to their own systems and addresses the variant that has the greatest risk for virtualized cloud environments.
Previous and related coverage
Meltdown-Spectre: Oracle's critical patch update offers fixes against CPU attacks
The enterprise software giant is working on Spectre fixes for Solaris on Sparc V9.
Windows Meltdown-Spectre: Watch out for fake patches that spread malware
Criminals have yet to exploit Meltdown and Spectre, but they're playing on users' uncertainties about the CPU flaws in their malware and phishing schemes.
Industrial equipment manufacturers reporting difficulties with Meltdown and Spectre patches
Fixing the security flaws is causing errors to pop up elsewhere for some companies.
Linux vs Meltdown: Ubuntu gets second update after first one fails to boot
Now Linux distributions get hit by Meltdown patch issues.
Bad news: A Spectre-like flaw will probably happen again (CNET)
Our devices may never truly be secure, says the CEO of the company that designs the heart of most mobile chips.
26% of organizations haven't yet received Windows Meltdown and Spectre patches (TechRepublic)
Roughly a week after the update was released, many machines still lack the fix for the critical CPU vulnerabilities.