We’ve discussed Intel’s fixes for Meltdown and Spectre many times over the past few months. AMD’s overall exposure to these specific flaws is known to be lower, but the smaller CPU manufacturer has taken more time to deliver certain fixes than Intel has. Today, solutions for AMD CPUs are also starting to roll out, courtesy of Microsoft’s Patch Tuesday.
First, a bit of primer. Variant 1 and Variant 2 apply to Spectre; the Variant 3 attack is classified as Meltdown and did not impact AMD CPUs. AMD has previously distributed patches for Variant 1 via Microsoft, but Variant 2 required a heavier lift for both Intel and AMD.
The update, KB4093112, contains a number of security fixes. Here’s the section relevant to AMD.
Provides support to control usage of Indirect Branch Prediction Barrier (IBPB) within some AMD processors (CPUs) for mitigating CVE-2017-5715, Spectre Variant 2 when switching from user context to kernel context (See AMD Architecture Guidelines around Indirect Branch Control and AMD Security Updates for more details). Follow instructions outlined in KB4073119 for Windows Client (IT Pro) guidance to enable usage of IBPB within some AMD processors (CPUs) for mitigating Spectre Variant 2 when switching from user context to kernel context.
AMD’s recommended fix for Spectre Variant 2 is to use its Indirect Branch Prediction Barrier (IBPB), described as follows:
This is a write only MSR that both GP faults when software reads it or if software tries to write any of the bits in 63:1. When bit zero is written, the processor guarantees that older indirect branches cannot influence predictions of indirect branches in the future. This applies to jmp indirects, call indirects and returns. As this restricts the processor from using all previous indirect branch information, it is intended to only be used by software when switching from one user context to another user context that requires protection, or from one guest to another guest.
Tech Report has done some quick spot checks on the performance impact of enabling these features and concluded the hit is less than 3 percent. AMD chips seem to be less impacted overall than Intel cores, though recent Intel chips took a relatively small hit in most workloads. The Variant 2 patch is available for motherboards dating back as far as the original Bulldozer in 2011; AMD has not stated if it will provide fixes for Phenom II or earlier cores. Like Intel, the company may have run into problems with motherboard manufacturer support.
As with Intel, just the Microsoft patch won’t fix this problem. You’ll also need a new UEFI or BIOS from your motherboard vendor. Keep an eye out for these updates; they’ll need to be applied for the patch to function. And the fun may just be starting — Spectre wasn’t one attack, or even two attacks. It represents an entire class of new attacks, all of which target the specific behavior of microprocessors to trick them into performing operations they shouldn’t. We could be cleaning up this mess for years to come.