Since the public revelation of the Meltdown and Spectre CPU vulnerabilities early this year, Intel has spent virtually the entire time in a reactionary mode, starting from the moment the vulnerabilities were revealed ahead of schedule. Since then the company has been making progress, albeit not without some significant steps backwards such as faulty microcode updates. However in recent weeks the company finally seems to be turning a corner on their most pressing issues, and this morning is releasing a more forward-looking update to their security issues.

Jumping straight to what AnandTech readers will consider the biggest news, Intel is finally talking a bit about future hardware. Intel is announcing that they have developed hardware fixes for both the Meltdown and Spectre v2 vulnerabilities, which in turn will be implemented into future processors. Both the next version of Intel’s Xeon server/HEDT platform – Cascade Lake – as well as new 8th gen Core processors set to ship in the second half of this year will include the mitigations.

For those not up to date with their Intel codenames, Cascade Lake is the 14nm refresh of Intel’s current Skylake-E/X family. Little official information is available about Cascade Lake, but importantly for datacenter vendors, this lays out a clear timetable for when they can expect to have access to Meltdown and Spectre-hardened silicon for use in new virtual machine servers. Given that virtual machine hosts were among those at the greatest risk here – and more impacted by the performance regressions of the software Meltdown mitigations – this is understandably most crucial market for Intel to address.

Meanwhile for updating Intel’s consumer chips, this is a bit more nebulous. While Intel hasn’t shared the complete text of their announcement with us ahead of press time, their specific wording is that the changes will be included in 8th gen Core processors “expected to ship in the second half of 2018.” Intel hasn’t said what processor family these are (e.g. Cannon Lake?), or for that matter whether these are even going to be traditional consumer chips or just the Core HEDT releases of Cascade Lake. So there is a lot of uncertainty here over just what this will entail. In the interim we have reached out to Intel about how consumers will be able to identify post-mitigation chips, and while we’re still waiting on a more complete response, Intel has told us that they want to be transparent about the matter.

As for the hardware changes themselves, it’s important to note that Intel’s changes only mitigate Meltdown (what Intel calls “variant 3”) and Spectre variant 2. In both cases the company has mitigated the vulnerabilities through a new partitioning system that improves both process and privilege-level separation, going with a “protective walls” analogy.

Intel's Meltdown & Spectre Hardware Mitigations Plans (2018)
Exploit Mitigation
Meltdown Hardware
Spectre variant 1 (bounds check bypass) Software
Spectre variant 2 (branch target injection) Hardware

Unfortunately these hardware changes won’t mitigate Spectre variant 1. And admittedly, I haven’t been expecting Intel (or anyone else) to figure that one out in 2018. The best mitigations for Spectre v1 will remain developer-focused software techniques that avoid putting sensitive data at risk.

The catch is that the more worrying risk with Spectre has always been the v1 variant, as the attack works against rather fundamental principles of speculative out-of-order execution. Which has been why the initial research on the vulnerability class noted that researchers weren’t sure they completely understood the full depth of the issue at the time. And indeed, it seems like the industry as a whole is still trying to fully understand the matter. The one silver lining here is that Spectre v1 can only be used against same-level processes and not admin-level processes. Which is to say that it can still be used for plenty of naughtiness with user data in other user-level applications, but can’t reach into more secure processes.

Moving on, for Intel’s current processors the company has updated their guidance for releasing the mitigation microcode updates. As of last week, the company has released production microcode updates for all of their products released in the last 5 years. In fact on the Core architecture side it goes even farther than that; Intel has now released microcode updates for all 2nd gen Core (Sandy Bridge) and newer processors, including their Xeon and HEDT variants. There are some outstanding questions here on how these updates will be delivered, as it seems unlikely that manufacturers will release BIOS updates for motherboards going back quite that far, but judging from how Intel and Microsoft have cooperated thus far, I’d expect to see these microcode updates also released to Windows Update in some fashion.

Finally, Intel will also be going even further back with their microcode updates. Their latest schedule calls for processors as old as the Core 2 lineup to get updates, including the 1st gen Core processors (Nehalem/Gulftown/Westmere/Lynnfield/Clarksfield/Bloomfield/Arrandale/Clarkdale), and the 45nm Core 2 processors (Penryn/Yorkfield/Wolfdale/Hapertown). This would cover most Intel processors going back to late 2007 or so. It’s worth noting that the 65nm Core 2 processors (Conroe, etc) are not on this list, but then the later Core 2 processors weren’t on the list either at one point.

Intel's Core Architecture Meltdown & Spectre v2 Mitigations
Microarchitecture Core Generation Status
Penryn 45nm Core 2 Microcode Planning
Nehalem/Westmere 1st Planning/Pre-Beta
Sandy Bridge 2nd Microcode Released
Ivy Bridge 3rd Microcode Released
Haswell 4th Microcode Released
Broadwell 5th Microcode Released
Skylake 6th Microcode Released
Kaby Lake 7th Microcode Released
Coffee Lake 8th Microcode Released
H2'2018 Core (Cannon Lake?) 8th Hardware Immune
Cascade Lake X Hardware Immune

Update: Intel has also released a video to go with their announcement, in case you like your information in a visual form.

Source: Intel



View All Comments

  • zmeul - Thursday, March 15, 2018 - link

    I'd shit my pants if they'll release a BIOS update for my X38 mobo Reply
  • willis936 - Thursday, March 15, 2018 - link


    All these microcode patches mean squat if the 15 motherboard vendors don't update their 15,000 motherboard model BIOS. I'd be shocked if ASUS even updated my 4 year old mobo let alone my Core 2 machine.
  • willis936 - Thursday, March 15, 2018 - link

    Hell it looks like my dual IVB-E system doesn't have a planned BIOS update. Basically any consumer machine older than haswell is given the finger. I'd love to see a statement or commitment to the contrary.
  • XabanakFanatik - Thursday, March 15, 2018 - link

    If we're talking about ASUS, even haswell and broadwell aren't getting any love. They have only two boards listed on their consumer motherboard list, and neither of them have actually received the listed bios update yet.

    They are second generation x99 boards, so all the first generation x99 boards, z97, and z87 boards are being ignored by them, apparently.
  • Cyanara - Thursday, March 15, 2018 - link

    Yeah, ASUS and Gigabyte are the big names here in Australia, yet I noticed ASUS's lack of updates on our office's second gen X99 board. Pretty shoddy support for a recent premium product.

    Our Gigabyte X99 boards on the other hand received microcode updates at the end of January. I'm definitely happy to continue supporting them if it means they keep our business a bit safer.
  • Morawka - Friday, March 16, 2018 - link

    I've had good luck with Asus and Bios updates. I had a x48 board that got BIOS updates for 7 years, the R2E. Reply
  • DanNeely - Thursday, March 15, 2018 - link

    There're mechanisms to allow OS drivers to load updated microcode when they startup. If you're using a currently supported mainstream OS it can load the update for you every time you run it.

    A BIOS update is still better since it protects the system at bootup, and in any OSes that don't have the updated microcode available as part of their kernel driver packages; but the delivered by the OS mechanism will allow most systems to be covered in normal use.
  • Alexvrb - Friday, March 16, 2018 - link

    They don't need to. All they need to do is release a microcode update for your CPU. If they do, you will be able to snag a patch from MS that applies the microcode before loading Windows. At first you'll have to get it directly from MS on the web, but I've heard it will eventually be rolled into Windows Update for the next major release. Unless you're on an older version... in which case... I don't know what to tell you. Reply
  • jjj - Thursday, March 15, 2018 - link

    Can you please ask them to define hardware in this context. Reply
  • Ryan Smith - Thursday, March 15, 2018 - link

    Unfortunately this is all we have at the moment. I expect we'll hear more from Intel once the hardware is closer to shipping. Reply

Log in

Don't have an account? Sign up now