Video: Meltdown-Spectre: A reminder to the IT industry that security is a mirage
Dell and HP have heeded Intel's advice and stopped deploying BIOS updates carrying its buggy patch for the Spectre attack.
HP, the world's biggest PC maker, has updated its advisory for the Meltdown and Spectre bugs following Intel's advice on Monday to halt deploying the chip makers' microcode or firmware patch due to unexpected reboots.
Early last week, Intel admitted its patch for Variant 2 Spectre (CVE-2017-5175) caused stability issues with its Broadwell and Haswell CPUs, and later confirmed the same problems affected Kaby Lake and Skylake CPUs.
On Tuesday, HP pulled its softpaqs BIOS updates with Intel's patches from its website, and on Thursday will release a BIOS update with a previous version of Intel's microcode.
Intel has prepared microcode updates for OEMs like HP and Dell that don't trigger the reboots, but also don't contain its patch for Variant 2, while leaving in place mitigations for Meltdown Variant 3 and Spectre Variant 1.
In the meantime, it's also developed a complete and -- hopefully -- stable patch for Broadwell and Haswell, but this is still being tested with OEMs. New microcode updates for Kaby Lake and Sky Lake will be released later.
"Once Intel reissues microcode updates, HP will issue revised Softpaqs," said HP.
Dell's updated advisory also notes it has removed its BIOS updates until Intel issues new stable firmware.
"Dell is advising that all customers should not deploy the BIOS update for the Spectre (Variant 2) vulnerability at this time. We have removed the impacted BIOS updates from our support pages and are working with Intel on a new BIOS update that will include new microcode from Intel," it said.
The Variant 2 attack, known as "indirect branch speculation", is considered the most difficult attack to mitigate, and carries the highest risk for virtualized environments in the cloud. Microsoft and Google have confirmed Intel's mitigation for the Variant 2 -- IBRS or Indirect Branch Restricted Speculation -- caused significant performance overheads on current hardware.
Google has developed its own mitigation for Variant 2 called Retpoline, which achieves IBRS' goal without impacting performance. Retpoline has been integrated with the Linux kernel and offers a software-based mechanism to isolate indirect branches from speculative execution.
IBRS has been a source of contention among Linux kernel developers. In an email exchange with Linux kernel engineer David Woodhouse, Linus Torvalds called Intel's patches "complete and utter garbage".
Woodhouse pointed out that Retpoline mitigates against Variant 2 attacks on most Intel CPUs, but not fully on Skylake and so has recommended IBRS be only used on this generation of processors. Besides this, IBRS doesn't have the same performance impact on Skylake as it does for older CPUs.
RECENT AND RELATED COVERAGE
Google wants the whole industry to adopt its Retpoline fixes for Variant 2 of the Meltdown-Spectre bugs.
Older Broadwell and Haswell chips have been taking a hit from Intel's CPU patch.
Now Linux distributions get hit by Meltdown patch issues.
Antivirus firms are playing patch catch-up, as Microsoft releases Meltdown firmware updates for Surface devices.
We asked major storage array vendors what they're doing to protect customers from the Spectre and Meltdown bugs. Here is what they said.
Patches that fix the security flaws also make the processors run slower in some circumstances, according to Intel.