Intel drops plans to develop Spectre microcode for ancient chips

  News, Security
image_pdfimage_print
Enlarge / A Sandy Bridge wafer. Sandy Bridge is the oldest chip family that’s guaranteed to get Spectre variant 2 fixes.

Intel has scaled back its plans to produce microcode updates for some of its older processors to address the “Spectre variant 2” attack. Core 2 processors are no longer scheduled to receive updates, and, while some first generation Core products have microcode updates available already, others have had their update cancelled.

Earlier this year, attacks that exploit the processor’s speculative execution were published with the names Meltdown and Spectre, prompting a reaction from hardware and software companies.

The Spectre attack has two variants, numbered version 1 and version 2. Spectre version 1 attacks will need software fixes, and the nature of these attacks means that they may always need software fixes. Version 2 is amenable to hardware and firmware fixes.

Over the last few months, Intel has been delivering microcode updates to provide firmware fixes for many of its processors already in the field. The microcode updates give operating systems greater control over the branch prediction and speculative execution capabilities of the processor, protecting against Spectre version 2, albeit with some performance cost.

In March, Intel said that it was developing microcode fixes for processors as old as the 45nm Core 2 chips (built on the Penryn architecture) and the first-generation Core processors (built using the Westmere and Nehalem architectures). However, the company’s latest update on the status of its microcode revisions indicates that it has dropped some of these plans.

None of the Core 2 processors will now receive a microcode update for Spectre. Some Westmere and some Nehalem processors have an update available, but those that don’t will now never be updated.

The reason Intel has given for this decision is threefold:

  • Micro-architectural characteristics that preclude a practical implementation of features mitigating Variant 2 (CVE-2017-5715).
  • Limited Commercially Available System Software support.
  • Based on customer inputs, most of these products are implemented as “closed systems” and therefore are expected to have a lower likelihood of exposure to these vulnerabilities.

With this policy change, Intel has developed all the Spectre microcode fixes it’s going to. The decision to update some first-generation Core processors but not others is still a little peculiar, as it’s hard to imagine how these reasons might apply to some variants but not others. Owners of Sandy Bridge or newer systems can be confident of having updated microcode, but anyone with a first generation chip would be advised to read Intel’s list of parts to figure out whether they’ll be getting a fix or not.

https://arstechnica.com/?p=1288023