We’ve discussed Intel’s fixes for Meltdown and Spectre many times over the past few months. AMD’s overall exposure to these specific flaws is known to be lower, but the smaller CPU manufacturer has taken more time to deliver certain fixes than Intel has. Today, solutions for AMD CPUs are also starting to roll out, courtesy of Microsoft’s Patch Tuesday.
First, a bit of primer. Variant 1 and Variant 2 apply to Spectre; the Variant 3 attack is classified as Meltdown and did not impact AMD CPUs. AMD has previously distributed patches for Variant 1 via Microsoft, but Variant 2 required a heavier lift for both Intel and AMD.
The update, KB4093112, contains a number of security fixes. Here’s the section relevant to AMD.
Provides support to control usage of Indirect Branch Prediction Barrier (IBPB) within some AMD processors (CPUs) for mitigating CVE-2017-5715, Spectre Variant 2 when switching from user context to kernel context (See AMD Architecture Guidelines around Indirect Branch Control and AMD Security Updates for more details). Follow instructions outlined in KB4073119 for Windows Client (IT Pro) guidance to enable usage of IBPB within some AMD processors (CPUs) for mitigating Spectre Variant 2 when switching from user context to kernel context.
AMD’s recommended fix for Spectre Variant 2 is to use its Indirect Branch Prediction Barrier (IBPB), described as follows:
This is a write only MSR that both GP faults when software reads it or if software tries to write any of the bits in 63:1. When bit zero is written, the processor guarantees that older indirect branches cannot influence predictions of indirect branches in the future. This applies to jmp indirects, call indirects and returns. As this restricts the processor from using all previous indirect branch information, it is intended to only be used by software when switching from one user context to another user context that requires protection, or from one guest to another guest.
Tech Report has done some quick spot checks on the performance impact of enabling these features and concluded the hit is less than 3 percent. AMD chips seem to be less impacted overall than Intel cores, though recent Intel chips took a relatively small hit in most workloads. The Variant 2 patch is available for motherboards dating back as far as the original Bulldozer in 2011; AMD has not stated if it will provide fixes for Phenom II or earlier cores. Like Intel, the company may have run into problems with motherboard manufacturer support.
As with Intel, just the Microsoft patch won’t fix this problem. You’ll also need a new UEFI or BIOS from your motherboard vendor. Keep an eye out for these updates; they’ll need to be applied for the patch to function. And the fun may just be starting — Spectre wasn’t one attack, or even two attacks. It represents an entire class of new attacks, all of which target the specific behavior of microprocessors to trick them into performing operations they shouldn’t. We could be cleaning up this mess for years to come.
AMD Releases Updated Risk Guidance on Meltdown, Spectre
AMD has clarified its own weaknesses against Spectre and Meltdown. One week later, things aren't quite as rosy as AMD hoped they'd be.
LG Shifts Strategy, Will No Longer Release Yearly Handset Updates
LG has declared its out of the yearly flagship phone release cycle, preferring to concentrate on retaining form factors for a longer period of time.
Intel Issuing Updates for Meltdown, Spectre Reboot Problem on Older Platforms
Intel's initial Meltdown and Spectre patches for older systems caused frequent reboots and other issues. The company thinks it has nailed those problems down.
Emergency Windows Update Removes Intel’s Buggy Spectre Patch
Microsoft has issued a rare out-of-cycle patch for Windows systems that removes Intel's Spectre patch. That has to be embarrassing for Intel.