AMD Releases Spectre v2 Microcode Updates for CPUs Going Back To 2011

Catalin Cimpanu, writing for BleepingComputer: AMD has released CPU microcode updates for processors affected by the Spectre variant 2 (CVE-2017-5715) vulnerability. The company has forwarded these microcode updates to PC and motherboard makers to include them in BIOS updates. Updates are available for products released as far as 2011, for the first processors of the Bulldozer line. Microsoft has released KB4093112, an update that also includes special OS-level patches for AMD users in regards to the Spectre v2 vulnerability. Similar OS-level updates have been released for Linux users earlier this year. Yesterday's microcode patches announcement is AMD keeping a promise it made to users in January, after the discovery of the Meltdown and Spectre (v1 and v2) vulnerabilities.

Doing better than Intel

[QuesarVII]

Sandy bridge Intel still hasn't been patched, and that's only a few years old.

Re:Doing better than Intel

[darkain]

Exactly this. Intel basically only pushed patches for 2 years of CPUs. The only architectures "older" that have patches are ones that still have newer CPUs being built on top of them, like the Xeon-D line.

Re:Doing better than Intel

Stop lying. Almost everything newer than Core 2 Duo is already patched on Intel side.

https://newsroom.intel.com/wp-content/uploads/sites/11/2018/04/microcode-update-guidance.pdf

Re:Doing better than Intel

[drinkypoo]

Stop lying. Almost everything newer than Core 2 Duo is already patched on Intel side.

Not only is that not true, but Intel has announced that it never will be true.

Re:Doing better than Intel

[drinkypoo]

unless I read that article you linked wrong, they are saying that CPUs that are derived from the Core2Duo era CPUs are not included - which means the above posted statement that anything newer than that is patched (or would be patched) is true.

Uh, no. If they're derived from c2d, then by definition they're newer than c2d. Basic logic and language skills? You fail them!

Damn you, AMD!

[DontBeAMoran]

What about my 486DX-40?

Re: Damn you, AMD!

486 doesn't have dynamic branch prediction.

Re:Damn you, AMD!

[Killall+-9+Bash]

Yes! Both equally guilty! Keep toeing that line!

Re: Damn you, AMD!

[AC-x]

To be fair having javascript be able to dump your kernel memory is a bit of a bummer even if you aren't running a cloud hosting service...

My gaming laptop thanks you

[WillAffleckUW]

Now to apply it to my desktops

Re:Not feeling the love...

[KiloByte]

but not my Phenom II 840 (quad-core) from 2010. Both are still going strong after all these years.

This is the last non-backdoored x86 CPU available, so that's especially painful. I'm using a 6-way Phenom II myself, and it's adequate for pretty much all tasks I do: none of pieces of software I maintain is big enough, and despite me doing tons of mentoring, stuff that gets sponsored is no LibreOffice or llvm-toolchain.

But then, for secure tasks I can use Allwinner A64 in a Pinebook -- turns out a murderous repressive communist country produces trustworthy hardware while the "land of the free" that sports that 4th Amendment does not.

Re:Not feeling the love...

[behrooz0az]

Please elaborate.

virtually impossible to exploit on Zen

[edxwelch]

It's worth noting AMD has said that Spectre 2 is virtually impossible to exploit on the Zen architecture. Even AMD engineers were unable to create a working exploit for it. Of coarse, they still have to release a patch for it to be on the safe side.

Re:Not feeling the love...

It's a special processor mode that runs above everything else, including the OS and a hypervisor (if present). It's been shown to be insecure even on UEFI-based systems allowing persistent rootkits. It's also possible to use an exploit to elevate from ring-0 to SMM therefore owning the entire computer..

https://www.blackhat.com/docs/us-15/materials/us-15-Domas-The-Memory-Sinkhole-Unleashing-An-x86-Design-Flaw-Allowing-Universal-Privilege-Escalation-wp.pdf

But there's a lot more examples if you just searhc for it online. Including Wikileaks materials of NSA exploits for it.

Re:Not feeling the love...

[TeknoHog]

but not my Phenom II 840 (quad-core) from 2010. Both are still going strong after all these years.

This is the last non-backdoored x86 CPU available, so that's especially painful.

Which backdoor do you mean? PSP (the equivalent to Intel Management Engine) is not found on the Bulldozer family, which was being developed and sold until Ryzen came out (and it's probably still available). On the mobile and low-power market, they were quicker to change into a new architecture (Bobcat to Jaguar) so PSP appeared there around 2013.

Don't these patches cripple speed?

[citylivin]

Theres no way in hell i am taking a 30% performance decrease because of some theoretical memory exploit..

I have been purposely avoiding any 2018 firmwares for just this reason!

But it would be nice to get a confirmation of my bias as things may have changed. Even a 10% performance hit would be not worth it imho. So some rogue process can read a random part of the computers memory. I'm sure some clever person will figure out a way to exploit it, but I am not buying the hype that this is a super big deal at the current time.

Re:Don't these patches cripple speed?

Spectre variant 2 even when mitigated by software-only workarounds has almost no performance penalties.

It's variant 3 (Meltdown) which is Intel-only that has from almost no (gaming) to huge (heavy I/O like Redis which gets almost halved performance) impact.

Re:Don't these patches cripple speed?

[thegarbz]

No these patches cause no noticeable change in speed. What you're thinking of is the meltdown patch that requires kernel page table isolation. That causes a 5-20% hit depending on application with nearly all applications that a normal user can expect falling below the 10% mark.

To be clear the is no patch for any of the spec exec bugs that hits 30% penalties in anything other than synthetic benchmarks on that specific worst off case on very specific subset of CPUs.

You'll be fine, not only with this patch but the other ones too.

Re:Not feeling the love...

[FrankSchwab]

I'm also running a Phenom II in my main house machine. Works fine with the things I do with it - browsing, CD ripping, etc - but I use a much more modern processor in my work machine...

I was going to build a new machine this winter, but the price of GPUs kinda discouraged me from that endeavour.

Re:Not feeling the love...

[drinkypoo]

But then, for secure tasks I can use Allwinner A64 in a Pinebook -- turns out a murderous repressive communist country produces trustworthy hardware while the "land of the free" that sports that 4th Amendment does not.

How many binary blobs do you have to run to get full functionality out of your Allwinner-based system? How much do you trust those blobs? Last I checked, kernel mainlining of the A64 had stalled, do you know better?

Re:Not feeling the love...

[KiloByte]

Works perfectly on Pine64, for Pinebook I use anarsoul's tree; mainlining of that is waiting for dp work that was sluggish but recently gained pace. You also need patched u-boot, but patched ATF is in Debian (and lookie who's packaging that part :) ).

will supermicro update there old 6XXX boards

[Joe_Dragon]

will supermicro update there old 6XXX boards

Older CPU

[manu0601]

There is no patch for pre-2011 CPU, but are they vulnerable? If I understand correctly, Spectre stems from optimization that are present in recent CPU.

Do we have a list of affected AMD processors?

Re: Not feeling the love...

[Brockmire]

I didn't read that, but backdoored isn't the same as exploitability. So, you sound more like a tinfoiler than researcher.

Re:Not feeling the love...

[drinkypoo]

Well, I have a Pine A64+, but I certainly don't trust it, and I won't until it's a) mainlined and b) functions completely without closed blobs. It's a cool little piece of kit, and it's fun to play with, but it's just a toy. I've had it do a few different minor tasks, and it actually seems like pretty good hardware.