Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: Intel Kernel Vulnerability fix: why software not microcode
1 point by BuildTheRobots on Jan 3, 2018 | hide | past | favorite | 3 comments
Could someone please explain why the mitigations for the Intel CPU bug are having to be implemented in the OS rather than Microcode?

As it only seems to effect Intel and not AMD processors, and as the issue seems to be with the CPU not invalidating cache after a failed OP, this seems like something that would be best fixed actually on the CPU itself.

I assume there's good reasons why not; if anyone could explain it would be greatly appreciated.



Microcode is very slow. The flaw lies in operations that you want to be as fast as possible (caching, prefetching) so those operations are implemented as hardcoded logic. Hardcoded logic is very fast, but impossible to change after the CPU is created.

It is best fixed on the CPU, but it will require the CPU to be physically changed (just a new mask if Intel is lucky) to fix it at the CPU level.


Thank you for the info.

I have noticed that there is actually a microcode update published today (through centos/rhel at least) so it looks like there's some firmware mitigation on the go.


Yeah, I think I was right and wrong. Right in that the microcode cannot fix the problem but wrong in that the microcode can disable the problematic features (speculative execution, ???) to foil the attack. Unfortunately, that will be a significant and forever performance hit for existing processors.

It makes sense that the features can be enabled and disabled via microcode.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: