AMD Is Releasing Spectre Firmware Updates To Fix CPU Vulnerabilities (theverge.com)

← Back to Stories (view on slashdot.org)

AMD Is Releasing Spectre Firmware Updates To Fix CPU Vulnerabilities (theverge.com)

Posted by BeauHD on Friday January 12, 2018 @01:00AM from the brushed-under-the-rug dept.

An anonymous reader quotes a report from The Verge: AMD's initial response to the Meltdown and Spectre CPU flaws made it clear "there is a near zero risk to AMD processors." That zero risk doesn't mean zero impact, as we're starting to discover today. "We have defined additional steps through a combination of processor microcode updates and OS patches that we will make available to AMD customers and partners to further mitigate the threat," says Mark Papermaster, AMD's chief technology officer. AMD is making firmware updates available for Ryzen and EPYC owners this week, and the company is planning to update older processors "over the coming weeks." Like Intel, these firmware updates will be provided to PC makers, and it will be up to suppliers to ensure customers receive these. AMD isn't saying whether there will be any performance impacts from applying these firmware updates, nor whether servers using EPYC processors will be greatly impacted or not. AMD is also revealing that its Radeon GPU architecture isn't impacted by Meltdown or Spectre, simply because those GPUs "do not use speculative execution and thus are not susceptible to these threats." AMD says it plans to issue further statements as it continues to develop security updates for its processors.

74 comments

Min score:

Reason:

Sort:

NO! My Narrative! by CajunArson · 2018-01-12 01:10 · Score: -1, Flamebait

I have been told by at least 500 Koolaid drinkers and their bots that the only vulnerable chips that have ever existed in all of human history were made by Intel because INTEL IS THE SOLE SOURCE OF EVIL ON EARTH!
Intel put these bugs in intentionally because Russia & NSA while simultaneously doing it because they are stupid!
Any school child and CPU design experts like Linus Torvalds Theo De Radt knew about these bugs and exactly how to exploit them for DECADES but didn't do anything about it until now because of Intel's MIND CONTROL RAYS that made open source software illegal!
This disrupts the narrative and therefore is an anti-science big-oil lie. AMD chips are all perfect. Hell, AMD chips are so perfect that you don't need to even update the software because software bugs are just a propaganda lie invented by EVIL INTEL to distract us from the fact that AMD is perfect.

--
AntiFA: An abbreviation for Anti First Amendment.
1. Re:NO! My Narrative! by Anonymous Coward · 2018-01-12 01:19 · Score: 5, Informative
  
  You are confusing Meltdown and Spectre. Meltdown: only Intel. Spectre: almost everything.
2. Re:NO! My Narrative! by Carewolf · 2018-01-12 01:25 · Score: 5, Informative
  
  You are confusing Meltdown and Spectre. Meltdown: only Intel. Spectre: almost everything.
  And spectre has two variants, and the second variant doesn't affect AMD Zen processors, but does affect older AMD processors.
3. Re:NO! My Narrative! by Anonymous Coward · 2018-01-12 01:35 · Score: 0, Funny
  
  And Alex Jones was right again, sadly.
4. Re:NO! My Narrative! by Anonymous Coward · 2018-01-12 01:46 · Score: 0
  
  The second time in ten year, you mean? Yeah. Impressive.
5. Re:NO! My Narrative! by Anonymous Coward · 2018-01-12 01:53 · Score: 1
  
  Not just Intel. Meltdown also affects ARM (Cortex-A75).
6. Re:NO! My Narrative! by gweihir · 2018-01-12 02:06 · Score: 5, Insightful
  
  Also: Spectre: Pretty old news, just somebody made it more practical now.
  The only reason Spectre is pushed in the news is that Intel is desperately trying to obscure the magnitude of their screw-up with Meltdown.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
7. Re:NO! My Narrative! by Anonymous Coward · 2018-01-12 02:28 · Score: -1
  
  The second time in ten year, you mean? Yeah. Impressive.
  Lets see.. things alex jones has been right about:
  1. Brexit vote results
  2. Brexit polls being fake as shit
  3. Trump getting elected
  4. Polls being full of shit
  And those just from past 2 years!
8. Re:NO! My Narrative! by Anonymous Coward · 2018-01-12 02:38 · Score: -1
  
  And both are getting overturned. Trump is going to prison faster than Brexit is getting a revote.
9. Re: NO! My Narrative! by Anonymous Coward · 2018-01-12 02:51 · Score: 1
  
  I don't like the man either, but that is really wishful thinking.
10. Re:NO! My Narrative! by Anonymous Coward · 2018-01-12 02:56 · Score: 3, Funny
  
  Not just Intel. Meltdown also affects ARM (Cortex-A75)
  Just one chip from ARM (all other ARM processors are not affected by Meltdown), allowing Intel to cry "it's not just all our processors!". So yeah, it's almost exclusively every single Intel chip in the last 20 years (since the Pentium Pro) that is fundamentally shafted. It's sure not like Intel to have a history of significant hardware flaws (F00F, FDIV), right?
11. Re:NO! My Narrative! by Anonymous Coward · 2018-01-12 03:14 · Score: 0
  
  To be fair, Intel made great efforts to spread as much confusion about these two as possible.
12. Re:NO! My Narrative! by Anonymous Coward · 2018-01-12 04:22 · Score: 0
  
  >being this much of a fanboi
13. Re:NO! My Narrative! by Anonymous Coward · 2018-01-12 04:34 · Score: 0
  
  Except nobody has been saying this. From day one we've listed ARM cores manufactured by a dozen vendors that also have the same problem. Engage your brain.
14. Re:NO! My Narrative! by OrangeTide · 2018-01-12 04:36 · Score: 1
  
  A rich white guy with powerful friends going to prison? Call me a skeptic.
  
  --
  “Common sense is not so common.” — Voltaire
15. Re:NO! My Narrative! by reboot246 · 2018-01-12 07:19 · Score: 1
  
  Not just Intel, AMD, and ARM. Meltdown and Spectre also affect Lay's potato chips, and that's where I draw the line! This means war!
16. Re:NO! My Narrative! by Anonymous Coward · 2018-01-12 08:54 · Score: -1
  
  Wrong. Meltdown affects AMD Athlon, Opteron and Turion x2 CPUs. It also affects some ARM CPUs and most other CPUs with speculative execution.
17. Re: NO! My Narrative! by Anonymous Coward · 2018-01-12 09:32 · Score: 0
  
  wishful thinking
  That's an odd way to spell delusional.
18. Re: NO! My Narrative! by Anonymous Coward · 2018-01-12 14:21 · Score: 0
  
  Sorry, but the continued advise is that no AMD chip is affected by Meltdown at all. It's an Intel-only fuckup that no amount of shilling can hide.
19. Re:NO! My Narrative! by Anonymous Coward · 2018-01-15 18:33 · Score: 0
  
  Also: Spectre: Pretty old news, just somebody made it more practical now.
  The only reason Spectre is pushed in the news is that Intel is desperately trying to obscure the magnitude of their screw-up with Meltdown.
  The smart move is to take a few days and let the facts come out. The last I heard AMD was also affected by 2 variants of Spectre. The most problematic is the one that requires a firmware update. As you can see both AMD and Intel need firmware updates. As for new and upcoming CPU and chipsets. Both AMD and Intel don't mention Spectre.. I am waiting to see who comes out with the better solution for handling Spectre with the least performance hit and over all system usability. I am going to need a new system and right now I don't if it will be Intel or AMD. I am going to research the issue.
Computer people by Anonymous Coward · 2018-01-12 01:10 · Score: -1

Tend to score high on the autist scale.
1. Re:Computer people by Anonymous Coward · 2018-01-12 03:07 · Score: 0
  
  You have to be an autist in order to create beautiful aut.
NEAR zero risk. by Anonymous Coward · 2018-01-12 01:12 · Score: 0, Flamebait

You *deliberately* ignored that, when saying "zero risk doesn't mean zero impact", to artificially make a point as sleazy as a (certain) corporate spokesperson's.
The lottery also has near zero chance of winning. But it certainly wasn't zero, as you'd imply, for those who did.
And another sleazy insert. by Anonymous Coward · 2018-01-12 01:18 · Score: 1

"... whether there will be any performance impacts from applying these firmware updates, nor whether servers using EPYC processors will be greatly impacted or not."
You just *had* to mention EPYC *a second time*, to really truly highlight your suggesive narrative.
Like "ACs didn't say there weren't shills, nor did TFS's AC say he wasn't a complete shill.". --.--
No Intel Windows microcode updates by Anonymous Coward · 2018-01-12 01:20 · Score: 0, Offtopic

Not sure why MS hasn't pushed out an Intel microcode update on Windows yet, motherboards are slow to get BIOS updates so far
1. Re:No Intel Windows microcode updates by arbiter1 · 2018-01-12 02:12 · Score: 2
  
  MS was set to release the update but reports of claims of older AMD powered machines were fail to boot after the update with no ability to roll back to before the update. MS pulled the patch from being pushed out pending they fix the problem.
2. Re:No Intel Windows microcode updates by Anonymous Coward · 2018-01-12 02:30 · Score: 0
  
  That was not a microcode update but a kernel and library update
Code monkeys by Anonymous Coward · 2018-01-12 01:21 · Score: -1

Think you are smart? I have questions for you, to reflect upon. (Not that you are capable of it.)
Do you trade your life's waking hours for credits, to be spend in your remaining hours on bullshit gadgets?
Do you have any control over anything in your life?
Are you financially independent?
Why do you think marketing and sales earns more than you?
Why do you think this is?
Bonus autist quiz:
Do you have an answer for everything?
Do you think coding == software development?
Do you often (think you) know unrelated factoids that you can impress people with, especially in the middle of a conversation?
Do you think the ability to instruct an CPU means you are destined for more than pure code monkeyship?
Well, then I have a surprise for you.
And it is right in my .. ASS.
Happy bitching, beta motherfuckers!
1. Re:Code monkeys by Anonymous Coward · 2018-01-12 01:33 · Score: 0
  
  Nothing is more beta than trolling on /.
2. Re:Code monkeys by Anonymous Coward · 2018-01-12 01:37 · Score: 1
  
  Are you kidding? Trolling /. is for gammas.
3. Re:Code monkeys by Anonymous Coward · 2018-01-12 01:55 · Score: 0
  
  Well, then I have a surprise for you.
  And it is right in my .. ASS.
  A dick? Since when are you into sharing, AC?
4. Re: Code monkeys by Anonymous Coward · 2018-01-12 21:23 · Score: 0
  
  Lolll
Nice spin there Intel by 110010001000 · 2018-01-12 01:33 · Score: 5, Insightful

AMD never said there was a near zero risk for Spectre. AMD is not affected by Meltdown. AMD and Intel affected by Spectre. Period. Stop trying to push Intels problems on AMD.
1. Re:Nice spin there Intel by Chrisq · 2018-01-12 01:48 · Score: 4, Informative
  
  AMD never said there was a near zero risk for Spectre.
  To be fair they did say that there is Near zero risk of exploitation of Spectre variant 2 (Branch Target Injection):
  
  Variant Two Branch Target Injection
  Differences in AMD architecture mean there is a near zero risk of exploitation of this variant. Vulnerability to Variant 2 has not been demonstrated on AMD processors to date.
This still has me all confused. by Anonymous Coward · 2018-01-12 01:56 · Score: 0

Should we be expecting a BIOS update for Intel machines? Or is this completely taken care of by the patches that MS and others have pushed out?
1. Re:This still has me all confused. by aliquis · 2018-01-12 02:05 · Score: 1
  
  ASUS has already released BIOSes for their Z370 boards.
  Others haven't. AFAIK / some days ago.
  But yeah, you should expect firmware upgrades for spectre.
2. Re:This still has me all confused. by Anonymous Coward · 2018-01-12 03:03 · Score: 0
  
  You should expect a microcode update from MS such as this while we wait for BIOS updates to come out https://support.microsoft.com/...
Why are we using the Verge as a source ? by RedK · 2018-01-12 01:58 · Score: 4, Informative

The Verge is obvioulsy a non-credible source. Or does that just apply to stories editors don't want to publish (*ahem* twitter *ahem) ?
What a terrible article. Here Slashdot editors, a better one from a no-name site that actually gets the facts right :
https://www.lowyat.net/2018/152301/amd-begin-distributing-firmware-updates-patch-spectre-vulnerability/
Or just use the damn primary source :
http://www.amd.com/en/corporate/speculative-execution

--
"Not to mention all the idiots who use words like boxen."
Anonymous Coward on Monday August 04, @06:49PM
Firmware Patch Required as well by CraigCruden · 2018-01-12 02:04 · Score: 3

Your PC maker or motherboard maker should have a patch for firmware / microcode. To completely mitigate the vulnerability on Intel based computers - you will have to patch both the OS and the firmware. I believe the firmware patch is required as part of Spectre (probably 2nd variant). Without both, your computer will be still vulnerable. Unfortunately I believe there is a chance that the patch could fail silently - but there is a powerscript that will tell you the status of the vulnerability patches.
1. Re:Firmware Patch Required as well by Anonymous Coward · 2018-01-12 02:09 · Score: 0
  
  Thank you. Now I'm wondering if my Thinkpad x220 with get a BIOS update...
2. Re:Firmware Patch Required as well by Anonymous Coward · 2018-01-12 03:21 · Score: 0
  
  MS should provide a patch that loads the microcode on OS boot to cover all devices that may be unsupported but still compatible with Windows, as they have in the past like here: https://support.microsoft.com/...
  If for some reason they are late in doing so, load the microcode yourself with this: https://labs.vmware.com/flings...
3. Re:Firmware Patch Required as well by mea2214 · 2018-01-12 05:53 · Score: 2
  
  Unfortunately I believe there is a chance that the patch could fail silently
  
  Nothing on Windows fails silently.
4. Re:Firmware Patch Required as well by thegarbz · 2018-01-12 07:49 · Score: 1
  
  Can you confirm how this works on Linux? Given that Linux has the ability to update microcode during the boot process, and Canonical for example has already pushed out "intel-microcode 3.20180108.0~ubuntu16.04.2", does that mean Linux users don't need any BIOS or otherwise updates?
5. Re:Firmware Patch Required as well by Anonymous Coward · 2018-01-12 12:18 · Score: 0
  
  That's right. The only reason you'd want the BIOS is if you don't trust the OS boot process.
6. Re:Firmware Patch Required as well by Anonymous Coward · 2018-01-12 12:36 · Score: 0
  
  I.e. GRUB
Firmware patch is not from Microsoft. by CraigCruden · 2018-01-12 02:06 · Score: 1

The firmware update comes from your PC manufacturer or motherboard manufacturer.
1. Re:Firmware patch is not from Microsoft. by Anonymous Coward · 2018-01-12 02:10 · Score: 0
  
  OR by Windows Update when manufacturers are slow / not supporting their hardware anymore.
  https://support.microsoft.com/...
  This is why we have OS microcode updates. Better safe than sorry.
2. Re:Firmware patch is not from Microsoft. by Anonymous Coward · 2018-01-12 04:06 · Score: 1
  
  The microcode patches for the CPUs come from Intel or AMD. Linux for example will happily load new microcode on bootup, very early in the boot process, before the kernel is fully loaded. Requires zero support from the manufacture of the board or PC itself.
3. Re:Firmware patch is not from Microsoft. by Anonymous Coward · 2018-01-12 05:45 · Score: 0
  
  But doesn't Linux still need the amd64-microcode / intel-microcode -packages to be manually installed? AFAIK, it was not installed by default on Debian.
4. Re:Firmware patch is not from Microsoft. by Anonymous Coward · 2018-01-12 07:05 · Score: 0
  
  Yep, since it's a third party binary blob. But once you get it, it updates along with everything else. Most desktop distributions have a tool to enable this easily: https://linuxmint.com/pictures...
So much bad information out there by Anonymous Coward · 2018-01-12 02:15 · Score: 0

I've read so many articles on Meltdown/Spectre and many of them at least get some of it wrong. Even Microsoft and Intel can't agree on this significance of performance slowdowns. I personally think AMD tried to capitalize on this and downplayed their chips exposure to this. That's marketing, and they also carefully worded their response so as to minimize their exposure. Actually, the better question that needs answering, is where to we go from here with CPU's? These two exploits might be fixable, but they also poise a roadblock to speed even in new CPU's down the road. The users I think most affected by this is users with older hardware and weaker Atom and Celeron CPU's. These users have little to play with in lost performance so these slowdowns are worse even if they only create a small percent reduction.
1. Re:So much bad information out there by Anonymous Coward · 2018-01-12 02:54 · Score: 1
  
  Yeah, capitalizing by pointing out the fact that they aren't vulnerable in any meaingful way. HOW DARE THEY! ALL HAIL INTEL!
2. Re:So much bad information out there by Anonymous Coward · 2018-01-12 03:01 · Score: 3, Insightful
  
  I've read so many articles on Meltdown/Spectre and many of them at least get some of it wrong. Even Microsoft and Intel can't agree on this significance of performance slowdowns. I personally think AMD tried to capitalize on this and downplayed their chips exposure to this.
  Quite the opposite. Intel conflated Meltdown and Spectre in order to downplay their chips exposure. Meltdown is the Intel-only extreme performance killer, causing the OS to jump through retarded flaming hoops just to stay safe. None of the spectre mitigations impact performance, but hey let's mix it in with Meltdown so it looks like other chipmakers produced shitty chips too, right?
3. Re:So much bad information out there by An+Ominous+Cow+Erred · 2018-01-12 03:43 · Score: 2
  
  Well, the *lowest* performance embedded systems tend to have in-order execution, so there's a plus there at least. e.g. the original Atom CPUs (pre-Silvermont) were in-order, so speculative execution is at least not a problem on that front. That's the same reason a lot of embedded ARM systems are safe, etc. ...also the cache-access-before-protection-check problem with Meltdown requires reliable cache timing, which means they are easier to exploit on systems with large caches. I imagine this is harder to exploit on those ultra-low-cost systems with small caches... and the cache-flush mitigation strategies will have less of an impact on them since the caches weren't that big to begin with.
4. Re:So much bad information out there by Bengie · 2018-01-12 04:28 · Score: 2
  
  Reading some new gaming benchmarks of both games and a wide range of synthetic tests, performance is the same within the margin of error and actually biased to being faster if anything. The 4k random read benchmark on an NVME drive pushing a blistering fast 300k-iops took a 30% hit. That was the only benchmark that showed a negative impact.
5. Re:So much bad information out there by Anonymous Coward · 2018-01-12 10:03 · Score: 1
  
  And who wrote TFA? Some Intel shill.
  Also, note, I wrote "in any meaningful way". The researchers managed to get their exploit to do "something" on one AMD cpu, in a very specific, non default configuration.
  Just go read the papers published by the google people. Don't read "articles" or the "trade press". They are infected by stupidity, Intel advertising money and shills.
6. Re: So much bad information out there by Anonymous Coward · 2018-01-12 14:26 · Score: 0
  
  A shame that we have those in production and applying the fix will effectively kill a multi-million platform. I've yet to hear of Intel offering any money to help bolster our workload, so fuck them, it's AMD from now on.
Anonymous Intel Coward by Anonymous Coward · 2018-01-12 03:26 · Score: 1

This BS looks to have come straight from the Intel PR department.
Complete FUD, mixing the two unrelated bugs, and utterly misleading the reader into thinking that AMD's completely accurate response to the major Intel bug was somehow wrong.
As a tech site Slashdot should be ashamed.
1. Re:Anonymous Intel Coward by ElizabethGreene · 2018-01-12 06:35 · Score: 1
  
  In their defense, the AMD article also looked like PR fluff too. Read the January 3rd update AMD published here.
  https://www.amd.com/en/corpora...
  They actually published something useful yesterday, 8 days after the public disclosure.
What about the environment. by Anonymous Coward · 2018-01-12 03:54 · Score: 1

says Mark Papermaster, AMD's chief technology officer.
So that's why we're as far away as ever from POOF, the Paperless Office Of the Future.
Microcode update, not "firmware" by Gravis+Zero · 2018-01-12 04:04 · Score: 3, Insightful

This is an update to microcode which fundamentally modifies the behavior of the instructions within a processor. You could argue that it's just a specific type of firmware but if that's the case then call it by title it's been given! It's not like this is a website for non-technical people.

--
Anons need not reply. Questions end with a question mark.
1. Re:Microcode update, not "firmware" by Anonymous Coward · 2018-01-12 07:27 · Score: 0
  
  Spectre is a serious bug and the only way microcode update will "fix" it is to disable speculative execution. And that will reduce performance considerably.
2. Re:Microcode update, not "firmware" by thegarbz · 2018-01-12 07:51 · Score: 1
  
  You mean this "microcode" that is neither the "hardware" nor actually the "software" but rather something in between? If microcode is not "firmware" what is it? Is it softer than firm making it "squishyware" or harder than firm making it "wayovercookedsteakware" ?
3. Re:Microcode update, not "firmware" by Gravis+Zero · 2018-01-12 08:29 · Score: 1
  
  If microcode is not "firmware" what is it?
  microcode.
  
  --
  Anons need not reply. Questions end with a question mark.
4. Re:Microcode update, not "firmware" by HalAtWork · 2018-01-12 08:34 · Score: 1
  
  Exactly. Microcode is instructions that live in volatile memory that divert and change the normal logic operation of a CPU, used to address errata.
  
  --
  Twinstiq, game news
5. Re:Microcode update, not "firmware" by Anonymous Coward · 2018-01-12 08:49 · Score: 0
  
  You just described microcode patches. Microcode is the set of internal instructions inside a CPU which help it interpret instructions that are too complex or problematic to fully decode in hardware. The patching mechanism allows setting breakpoints inside the ROM microcode to override specific sections with RAM microcode loaded in with the update.
6. Re:Microcode update, not "firmware" by HalAtWork · 2018-01-12 09:06 · Score: 1
  
  My bad I thought OP was talking about microcode updates and that's what the ensuing discussion was about. You're right.
  
  --
  Twinstiq, game news
7. Re:Microcode update, not "firmware" by thegarbz · 2018-01-12 11:32 · Score: 1
  
  So it's code that lives between the software and the hardware?
8. Re:Microcode update, not "firmware" by thegarbz · 2018-01-12 11:33 · Score: 1
  
  Congratulations, you just won stupid of the week.
9. Re:Microcode update, not "firmware" by Gravis+Zero · 2018-01-12 11:55 · Score: 1
  
  Stupid questions get "stupid" answers.
  
  --
  Anons need not reply. Questions end with a question mark.
10. Re:Microcode update, not "firmware" by bongey · 2018-01-12 17:27 · Score: 1
  
  Can I just get a box of chocolates?
11. Re:Microcode update, not "firmware" by Anonymous Coward · 2018-01-12 21:18 · Score: 0
  
  What you actually could argue is that the word firmware includes microcode because that is what it referred to originally:
  
  Ascher Opler coined the term "firmware" in a 1967 Datamation article.[4] Originally, it meant the contents of a writable control store (a small specialized high speed memory), containing microcode that defined and implemented the computer's instruction set [...] Over time, popular usage extended the word "firmware" to denote any computer program that is tightly linked to hardware
  I found this on Wikipedia, which mentions a source in a footnote that doesn't seem to be available online.
Comment removed by account_deleted · 2018-01-12 04:39 · Score: 1

Comment removed based on user account deletion
DO we have a list? by Anonymous Coward · 2018-01-12 11:07 · Score: 0

As a (sad) owner of some 7 Intel-based PCs (and 3 AMD-based ones), I sure would like to know whether some of them have escaped that set of curses.
Ideally, a long list with a column per vulnerability would be best.
Is there such beast? Or should we just sigh and consider newer than 1995 == broken?