Video: Intel addresses Meltdown and Spectre security flaws at CES 2018
Intel says the unexpected reboots triggered by patching older chips affected by Meltdown and Spectre are happening to its newer chips, too.
Intel confirmed in an update late Wednesday that not only are its older Broadwell and Haswell chips tripping up on the firmware patches, but newer CPUs through to the latest Kaby Lake chips are too.
The firmware updates do protect Intel chips against potential Spectre attacks, but machines with Ivy Bridge, Sandy Bridge, Skylake, and Kaby Lake architecture processors are rebooting more frequently once the firmware has been updated, Intel said.
Intel has also updated its original Meltdown-Spectre advisory with a new warning about the stability issues and recommends OEMs and cloud providers test its beta silicon microcode updates before final release. These beta releases, which mitigate the Spectre Variant 2 CVE-2017-5715 attack on CPU speculative execution, will be available next week.
"Intel recommends that these partners, at their discretion, continue development and release of updates with existing microcode to provide protection against these exploits, understanding that the current versions may introduce issues such as reboot in some configurations," the company wrote.
"We further recommend that OEMs, Cloud service providers, system manufacturers and software vendors begin evaluation of Intel beta microcode update releases in anticipation of definitive root cause and subsequent production releases suitable for end users".
Despite the stability issues, Intel has told OEMs not to withdraw the already released updates for end users.
However, it warned IT admins at datacenters to proceed with caution: "Evaluate potential impacts from the reboot issue and make decisions based on the security profile of the infrastructure".
Navin Shenoy, Intel's EVP and GM of the datacenter group, has also released test data on the performance impact of the firmware updates on servers running its latest Skylake-based server Xeon Scalable systems.
On "common workloads" in the enterprise and cloud, Intel has seen an impact of zero to two percent, while it had a four percent impact on a simulated brokerage firm's customer-broker-stock exchange transaction system.
There is a large variance in the fix's impact on data-storage systems depending on CPU utilization and other factors, such as the read-write mix, block size, and drives.
On one benchmark at full CPU utilization, Intel found an 18 percent decrease in throughput performance, while on a 73/30 read/write model there was only a two percent hit on throughput performance.
Shenoy highlighted Google's software-based Retpoline fix for the Variant 2 attack as another mitigation that "could yield less impact".
Google last week urged the whole industry to adopt Retpoline because it mitigated the attack but had almost no negative performance impact on current hardware.
"Retpoline fully protects against Variant 2 without impacting customer performance on all our platforms," a Google executive said.
Google's fix isn't a patch that consumers would apply to their own systems and addresses the variant that has the greatest risk for virtualized cloud environments.
Previous and related coverage
The enterprise software giant is working on Spectre fixes for Solaris on Sparc V9.
Criminals have yet to exploit Meltdown and Spectre, but they're playing on users' uncertainties about the CPU flaws in their malware and phishing schemes.
Fixing the security flaws is causing errors to pop up elsewhere for some companies.
Now Linux distributions get hit by Meltdown patch issues.
Our devices may never truly be secure, says the CEO of the company that designs the heart of most mobile chips.
Roughly a week after the update was released, many machines still lack the fix for the critical CPU vulnerabilities.