AMD Is Releasing Spectre Firmware Updates To Fix CPU Vulnerabilities

An anonymous reader quotes a report from The Verge: AMD's initial response to the Meltdown and Spectre CPU flaws made it clear "there is a near zero risk to AMD processors." That zero risk doesn't mean zero impact, as we're starting to discover today. "We have defined additional steps through a combination of processor microcode updates and OS patches that we will make available to AMD customers and partners to further mitigate the threat," says Mark Papermaster, AMD's chief technology officer. AMD is making firmware updates available for Ryzen and EPYC owners this week, and the company is planning to update older processors "over the coming weeks." Like Intel, these firmware updates will be provided to PC makers, and it will be up to suppliers to ensure customers receive these. AMD isn't saying whether there will be any performance impacts from applying these firmware updates, nor whether servers using EPYC processors will be greatly impacted or not. AMD is also revealing that its Radeon GPU architecture isn't impacted by Meltdown or Spectre, simply because those GPUs "do not use speculative execution and thus are not susceptible to these threats." AMD says it plans to issue further statements as it continues to develop security updates for its processors.

Re:NO! My Narrative!

[Anonymous Coward]

You are confusing Meltdown and Spectre. Meltdown: only Intel. Spectre: almost everything.

Re:NO! My Narrative!

[Carewolf]

You are confusing Meltdown and Spectre. Meltdown: only Intel. Spectre: almost everything.

And spectre has two variants, and the second variant doesn't affect AMD Zen processors, but does affect older AMD processors.

Re: NO! My Narrative!

[Anonymous Coward]

I don't like the man either, but that is really wishful thinking.

Re:

[OrangeTide]

A rich white guy with powerful friends going to prison? Call me a skeptic.

Re:

[Anonymous Coward]

Not just Intel. Meltdown also affects ARM (Cortex-A75).

Re:

[Anonymous Coward]

Not just Intel. Meltdown also affects ARM (Cortex-A75)

Just one chip from ARM (all other ARM processors are not affected by Meltdown), allowing Intel to cry "it's not just all our processors!". So yeah, it's almost exclusively every single Intel chip in the last 20 years (since the Pentium Pro) that is fundamentally shafted. It's sure not like Intel to have a history of significant hardware flaws (F00F, FDIV), right?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:NO! My Narrative!

[gweihir]

Also: Spectre: Pretty old news, just somebody made it more practical now.

The only reason Spectre is pushed in the news is that Intel is desperately trying to obscure the magnitude of their screw-up with Meltdown.

And another sleazy insert.

[Anonymous Coward]

"... whether there will be any performance impacts from applying these firmware updates, nor whether servers using EPYC processors will be greatly impacted or not."

You just *had* to mention EPYC *a second time*, to really truly highlight your suggesive narrative.

Like "ACs didn't say there weren't shills, nor did TFS's AC say he wasn't a complete shill.". --.--

Firmware patch is not from Microsoft.

[Craig Cruden]

The firmware update comes from your PC manufacturer or motherboard manufacturer.

Re:

[Anonymous Coward]

The microcode patches for the CPUs come from Intel or AMD. Linux for example will happily load new microcode on bootup, very early in the boot process, before the kernel is fully loaded. Requires zero support from the manufacture of the board or PC itself.

Re:

[arbiter1]

MS was set to release the update but reports of claims of older AMD powered machines were fail to boot after the update with no ability to roll back to before the update. MS pulled the patch from being pushed out pending they fix the problem.

Re:

[Anonymous Coward]

Are you kidding? Trolling /. is for gammas.

Nice spin there Intel

[110010001000]

AMD never said there was a near zero risk for Spectre. AMD is not affected by Meltdown. AMD and Intel affected by Spectre. Period. Stop trying to push Intels problems on AMD.

Re:Nice spin there Intel

[Chrisq]

AMD never said there was a near zero risk for Spectre.

To be fair they did say [amd.com] that there is Near zero risk of exploitation of Spectre variant 2 (Branch Target Injection):

Variant Two Branch Target Injection
Differences in AMD architecture mean there is a near zero risk of exploitation of this variant. Vulnerability to Variant 2 has not been demonstrated on AMD processors to date.

Firmware Patch Required as well

[Craig Cruden]

Your PC maker or motherboard maker should have a patch for firmware / microcode. To completely mitigate the vulnerability on Intel based computers - you will have to patch both the OS and the firmware. I believe the firmware patch is required as part of Spectre (probably 2nd variant). Without both, your computer will be still vulnerable. Unfortunately I believe there is a chance that the patch could fail silently - but there is a powerscript that will tell you the status of the vulnerability patches.

Re:

[mea2214]

Unfortunately I believe there is a chance that the patch could fail silently

Nothing on Windows fails silently.

Re:

[thegarbz]

Can you confirm how this works on Linux? Given that Linux has the ability to update microcode during the boot process, and Canonical for example has already pushed out "intel-microcode 3.20180108.0~ubuntu16.04.2", does that mean Linux users don't need any BIOS or otherwise updates?

Re:

[aliquis]

ASUS has already released BIOSes for their Z370 boards.
Others haven't. AFAIK / some days ago.

But yeah, you should expect firmware upgrades for spectre.

Why are we using the Verge as a source ?

[RedK]

The Verge is obvioulsy a non-credible source. Or does that just apply to stories editors don't want to publish (*ahem* twitter *ahem) ?

What a terrible article. Here Slashdot editors, a better one from a no-name site that actually gets the facts right :

https://www.lowyat.net/2018/152301/amd-begin-distributing-firmware-updates-patch-spectre-vulnerability/ [lowyat.net]

Or just use the damn primary source :

http://www.amd.com/en/corporate/speculative-execution [amd.com]

Re:

[Anonymous Coward]

Yeah, capitalizing by pointing out the fact that they aren't vulnerable in any meaingful way. HOW DARE THEY! ALL HAIL INTEL!

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

And who wrote TFA? Some Intel shill.

Also, note, I wrote "in any meaningful way". The researchers managed to get their exploit to do "something" on one AMD cpu, in a very specific, non default configuration.

Just go read the papers published by the google people. Don't read "articles" or the "trade press". They are infected by stupidity, Intel advertising money and shills.

Re:

[Anonymous Coward]

I've read so many articles on Meltdown/Spectre and many of them at least get some of it wrong. Even Microsoft and Intel can't agree on this significance of performance slowdowns. I personally think AMD tried to capitalize on this and downplayed their chips exposure to this.

Quite the opposite. Intel conflated Meltdown and Spectre in order to downplay their chips exposure. Meltdown is the Intel-only extreme performance killer, causing the OS to jump through retarded flaming hoops just to stay safe. None of the spectre mitigations impact performance, but hey let's mix it in with Meltdown so it looks like other chipmakers produced shitty chips too, right?

Re:

[An Ominous Cow Erred]

Well, the *lowest* performance embedded systems tend to have in-order execution, so there's a plus there at least. e.g. the original Atom CPUs (pre-Silvermont) were in-order, so speculative execution is at least not a problem on that front. That's the same reason a lot of embedded ARM systems are safe, etc. ...also the cache-access-before-protection-check problem with Meltdown requires reliable cache timing, which means they are easier to exploit on systems with large caches. I imagine this is harder to exp

Re:

[Bengie]

Reading some new gaming benchmarks of both games and a wide range of synthetic tests, performance is the same within the margin of error and actually biased to being faster if anything. The 4k random read benchmark on an NVME drive pushing a blistering fast 300k-iops took a 30% hit. That was the only benchmark that showed a negative impact.

Anonymous Intel Coward

[Anonymous Coward]

This BS looks to have come straight from the Intel PR department.

Complete FUD, mixing the two unrelated bugs, and utterly misleading the reader into thinking that AMD's completely accurate response to the major Intel bug was somehow wrong.

As a tech site Slashdot should be ashamed.

Re:

[ElizabethGreene]

In their defense, the AMD article also looked like PR fluff too. Read the January 3rd update AMD published here.

https://www.amd.com/en/corpora... [amd.com]

They actually published something useful yesterday, 8 days after the public disclosure.

What about the environment.

[Anonymous Coward]

says Mark Papermaster, AMD's chief technology officer.

So that's why we're as far away as ever from POOF, the Paperless Office Of the Future.

Microcode update, not "firmware"

[Gravis Zero]

This is an update to microcode which fundamentally modifies the behavior of the instructions within a processor. You could argue that it's just a specific type of firmware but if that's the case then call it by title it's been given! It's not like this is a website for non-technical people.

Re:

[thegarbz]

You mean this "microcode" that is neither the "hardware" nor actually the "software" but rather something in between? If microcode is not "firmware" what is it? Is it softer than firm making it "squishyware" or harder than firm making it "wayovercookedsteakware" ?

Re:

[Gravis Zero]

If microcode is not "firmware" what is it?

microcode.

Re:

[HalAtWork]

Exactly. Microcode is instructions that live in volatile memory that divert and change the normal logic operation of a CPU, used to address errata.

Re:

[HalAtWork]

My bad I thought OP was talking about microcode updates and that's what the ensuing discussion was about. You're right.

Re:

[thegarbz]

So it's code that lives between the software and the hardware?

Re:

[thegarbz]

Congratulations, you just won stupid of the week.

Re:

[Gravis Zero]

Stupid questions get "stupid" answers.

Re:

[bongey]

Can I just get a box of chocolates?