Red Hat slams into reverse on CPU fix for Spectre design blunder

Microcode mitigations trigger system wobbles, penguinistas warn

By Paul Kunert

Posted in Servers, 18th January 2018 07:36 GMT

Techies are scratching their heads after Red Hat pulled a CPU microcode update that was supposed to mitigate variant two of the Spectre design flaw in Intel and AMD processors.

This U-turn follows VMware, Lenovo, and other vendors, stalling on rolling out microcode patches after Intel admitted its firmware caused systems to fall over. It says it is working on better microcode.

In a note to IT departments, Red Hat confirmed the latest version of its microcode_ctl package will not contain any solution for CVE-2017-5715, aka Spectre variant two, a processor security blunder we previously detailed here.

That's because the Spectre workaround in the microcode was causing systems to become unbootable. Here's a key part of the letter to customers, seen by El Reg:

Latest microcode_ctl package will not contain mitigation for CVE-2017-5715 (Spectre, Variant 2)

Historically, for certain systems, Red Hat has provided updated microprocessor firmware, developed by our microprocessor partners, as a customer convenience. Further testing has uncovered problems with the microcode provided along with the “Spectre” CVE-2017-5715 mitigation that could lead to system instabilities. As a result, Red Hat is providing a microcode update that reverts to the last known and tested microcode version dated before 03 January 2018 and does not address “Spectre” CVE-2017-5715.

To fully mitigate the vulnerability, peeps using AMD Zen and Intel Skylake-, Broadwell- and Haswell-powered kit should obtain and install microprocessor firmware direct from their hardware vendors, along with the latest kernel packages from Red Hat.

Which, er, sounds like Red Hat has given up and, to avoid any blame, has told its customers to just get whatever firmware your CPU maker is offering. And if it works, it works, and if it makes your box fall over, uh, don't look at Red Hat. Here's the next part of the customer note:

In order to mitigate “Spectre” CVE-2017-5715 fully, Red Hat strongly recommends that customers contact their hardware provider for the latest microprocessor firmware updates.

Red Hat Security is currently recommending that subscribers contact their CPU OEM vendor to download the latest microcode/firmware for their processor.

The latest microcode_ctl and linux-firmware packages from Red Hat do not include resolutions to the CVE-2017-5715 (variant 2) exploit. Red Hat is no longer providing microcode to address Spectre, variant 2, due to instabilities introduced that are causing customer systems to not boot.

The latest microcode_ctl and linux-firmware packages are reverting these unstable microprocessor firmware changes to versions that were known to be stable and well tested, released prior to the Spectre/Meltdown embargo lift date on Jan 3rd. Customers are advised to contact their silicon vendor to get the latest microcode for their particular processor.

A senior techie who spoke to us on condition of anonymity said it was “now a bit harder to see what we need to do to protect our systems.”

“Do we need hardware vendor patches, BIOS patches or what? Then manually add Intel Raw firmware patches to the OS? A real mess if you ask me,” our contact added.

Red Hat’s Customer Portal Labs has published a Spectre and Meltdown detector for the Enterprise Linux 5 or later edition, which can be used online for kernel detection or downloaded and run locally to ascertain if the two flavours of Spectre and one of Meltdown have been mitigated. ®

Sign up to our NewsletterGet IT in your inbox daily

32 Comments

More from The Register

Micron, Intel consciously uncouple 3D NAND development

Will continue to work on 3D XPoint together

Hands up who HASN'T sued Intel over Spectre, Meltdown chip flaws

Chipzilla says class-action lawsuit tally stands at 32

Monday: Intel defector touts Arm server chip. Wednesday: Intel shows off new server chips

Xeon D-2100 a coincidence, Chipzilla assures us

Intel adopts Orwellian irony with call for fast Meltdown-Spectre action after slow patch delivery

For now, have some code that won't crash Skylakes and stay close to your Telescreens

Intel beefs up low-end line with Gemini Lake CPUs

Pentium Silver, Celeron get gigabit WiFi update

Former Intel EMEAR sales director takes Chipzilla to tribunal

Claims unfair dismissal, sex discrimination, withholding bonuses

Whomp. Intel's promised fatter Optane drive arrives

Offers advice on getting better Optane benchmark boosts

Intel is upset that Qualcomm is treating it like Intel treated AMD for years and years

Chipzilla takes number, joins queue to kick Snapdragon biz in the ball arrays

Intel top brass smacked with sueball for keeping schtum about chip flaws

CEO, CFO under fire as lawsuits mount up

Intel alerted computer makers to chip flaws on Nov 29 – new claim

Total coincidence: That's the same day Chipzilla's CEO sold off his shares