AMD Releases Spectre v2 Microcode Updates for CPUs Going Back To 2011

Catalin Cimpanu, writing for BleepingComputer: AMD has released CPU microcode updates for processors affected by the Spectre variant 2 (CVE-2017-5715) vulnerability. The company has forwarded these microcode updates to PC and motherboard makers to include them in BIOS updates. Updates are available for products released as far as 2011, for the first processors of the Bulldozer line. Microsoft has released KB4093112, an update that also includes special OS-level patches for AMD users in regards to the Spectre v2 vulnerability. Similar OS-level updates have been released for Linux users earlier this year. Yesterday's microcode patches announcement is AMD keeping a promise it made to users in January, after the discovery of the Meltdown and Spectre (v1 and v2) vulnerabilities.

Doing better than Intel

[QuesarVII]

Sandy bridge Intel still hasn't been patched, and that's only a few years old.

Re:Doing better than Intel

[drinkypoo]

Stop lying. Almost everything newer than Core 2 Duo is already patched on Intel side.

Not only is that not true, but Intel has announced that it never will be true.

Re: Damn you, AMD!

486 doesn't have dynamic branch prediction.

virtually impossible to exploit on Zen

[edxwelch]

It's worth noting AMD has said that Spectre 2 is virtually impossible to exploit on the Zen architecture. Even AMD engineers were unable to create a working exploit for it. Of coarse, they still have to release a patch for it to be on the safe side.

Don't these patches cripple speed?

[citylivin]

Theres no way in hell i am taking a 30% performance decrease because of some theoretical memory exploit..

I have been purposely avoiding any 2018 firmwares for just this reason!

But it would be nice to get a confirmation of my bias as things may have changed. Even a 10% performance hit would be not worth it imho. So some rogue process can read a random part of the computers memory. I'm sure some clever person will figure out a way to exploit it, but I am not buying the hype that this is a super big deal at the current time.

Re:Don't these patches cripple speed?

Spectre variant 2 even when mitigated by software-only workarounds has almost no performance penalties.

It's variant 3 (Meltdown) which is Intel-only that has from almost no (gaming) to huge (heavy I/O like Redis which gets almost halved performance) impact.

Re:Don't these patches cripple speed?

[thegarbz]

No these patches cause no noticeable change in speed. What you're thinking of is the meltdown patch that requires kernel page table isolation. That causes a 5-20% hit depending on application with nearly all applications that a normal user can expect falling below the 10% mark.

To be clear the is no patch for any of the spec exec bugs that hits 30% penalties in anything other than synthetic benchmarks on that specific worst off case on very specific subset of CPUs.

You'll be fine, not only with this patch but the other ones too.

Re:Not feeling the love...

[drinkypoo]

But then, for secure tasks I can use Allwinner A64 in a Pinebook -- turns out a murderous repressive communist country produces trustworthy hardware while the "land of the free" that sports that 4th Amendment does not.

How many binary blobs do you have to run to get full functionality out of your Allwinner-based system? How much do you trust those blobs? Last I checked, kernel mainlining of the A64 had stalled, do you know better?

Older CPU

[manu0601]

There is no patch for pre-2011 CPU, but are they vulnerable? If I understand correctly, Spectre stems from optimization that are present in recent CPU.

Do we have a list of affected AMD processors?