Intel Reverses Course on Patching Older Chips for Spectre/Meltdown
In Intel’s latest (and possibly final) update to its Meltdown and Spectre mitigation guide, published April 3, the company revealed that a number of its older CPU models will not receive microcode updates intended to protect against one of the now notorious security vulnerabilities that came to light in early January and found to afflict most modern chips.
After a comprehensive investigation of the microarchitectures and microcode capabilities for these products, Intel has determined to not release microcode updates for these products for one or more reasons including, but not limited to the following:
• Micro-architectural characteristics that preclude a practical implementation of features mitigating Variant 2 (CVE-2017-5715)
• Limited Commercially Available System Software support
• Based on customer inputs, most of these products are implemented as “closed systems” and therefore are expected to have a lower likelihood of exposure to these vulnerabilities.
The MCU update roadmap lists the following chips as having a “stopped [microcode update] production status”: Bloomfield (including Xeon); Clarksfield; Gulftown; Harpertown Xeon C0 and E0; Jasper Forest; Penryn/QC; SoFIA 3GR; Wolfdale C0, M0, E0, R0, Xeon C0, and Xeon E0; and Yorkfield (including Xeon).
All of these products, with the exception of the Atom-based SoFIA line canceled in 2016, were produced between 2007 and 2011. Essentially Intel is saying that these chips are either particularly resistant to being shored up or that they have too few users to warrant the effort.
“We’ve now completed release of microcode updates for Intel microprocessor products launched in the last 9+ years that required protection against the side-channel vulnerabilities discovered by Google Project Zero,” said Intel in a statement. “However, as indicated in our latest microcode revision guidance, we will not be providing updated microcode for a select number of older platforms for several reasons, including limited ecosystem support and customer feedback.”
Intel further recommends that users discontinue previously released MCUs for affected chips due to “system stability issues.”
The company also announced the availability of updated production microcodes for the following products: Arrandale, Clarkdale (including Xeon), Lynnfield (including Xeon), Nehalem (EP, WS and EX), and Westmere (EP, WS and EX).
Intel published the first Meltdown and Spectre mitigation guide in February 2018 to provide status updates on the availability of its microcode revisions. View the most up-to-date PDF here; red indicates “stopped production status” and other changes to previous versions are highlighted in yellow.
Intel announced in February it is facing dozens of lawsuits from parties seeking damages over the hacking threat and/or slowdown effect of patches. It remains to be seen what effect its redressement strategy will have on the outcome of pending or potential future litigation.
This article originally appeared in sister publication HPCwire.