Data Centre

Servers

Red Hat slams into reverse on CPU fix for Spectre design blunder

Microcode mitigations trigger system wobbles, penguinistas warn

By Paul Kunert

32 SHARE

Techies are scratching their heads after Red Hat pulled a CPU microcode update that was supposed to mitigate variant two of the Spectre design flaw in Intel and AMD processors.

This U-turn follows VMware, Lenovo, and other vendors, stalling on rolling out microcode patches after Intel admitted its firmware caused systems to fall over. It says it is working on better microcode.

In a note to IT departments, Red Hat confirmed the latest version of its microcode_ctl package will not contain any solution for CVE-2017-5715, aka Spectre variant two, a processor security blunder we previously detailed here.

That's because the Spectre workaround in the microcode was causing systems to become unbootable. Here's a key part of the letter to customers, seen by El Reg:

Latest microcode_ctl package will not contain mitigation for CVE-2017-5715 (Spectre, Variant 2)

Historically, for certain systems, Red Hat has provided updated microprocessor firmware, developed by our microprocessor partners, as a customer convenience. Further testing has uncovered problems with the microcode provided along with the “Spectre” CVE-2017-5715 mitigation that could lead to system instabilities. As a result, Red Hat is providing a microcode update that reverts to the last known and tested microcode version dated before 03 January 2018 and does not address “Spectre” CVE-2017-5715.

To fully mitigate the vulnerability, peeps using AMD Zen and Intel Skylake-, Broadwell- and Haswell-powered kit should obtain and install microprocessor firmware direct from their hardware vendors, along with the latest kernel packages from Red Hat.

Which, er, sounds like Red Hat has given up and, to avoid any blame, has told its customers to just get whatever firmware your CPU maker is offering. And if it works, it works, and if it makes your box fall over, uh, don't look at Red Hat. Here's the next part of the customer note:

In order to mitigate “Spectre” CVE-2017-5715 fully, Red Hat strongly recommends that customers contact their hardware provider for the latest microprocessor firmware updates.

Red Hat Security is currently recommending that subscribers contact their CPU OEM vendor to download the latest microcode/firmware for their processor.

The latest microcode_ctl and linux-firmware packages from Red Hat do not include resolutions to the CVE-2017-5715 (variant 2) exploit. Red Hat is no longer providing microcode to address Spectre, variant 2, due to instabilities introduced that are causing customer systems to not boot.

The latest microcode_ctl and linux-firmware packages are reverting these unstable microprocessor firmware changes to versions that were known to be stable and well tested, released prior to the Spectre/Meltdown embargo lift date on Jan 3rd. Customers are advised to contact their silicon vendor to get the latest microcode for their particular processor.

A senior techie who spoke to us on condition of anonymity said it was “now a bit harder to see what we need to do to protect our systems.”

“Do we need hardware vendor patches, BIOS patches or what? Then manually add Intel Raw firmware patches to the OS? A real mess if you ask me,” our contact added.

Red Hat’s Customer Portal Labs has published a Spectre and Meltdown detector for the Enterprise Linux 5 or later edition, which can be used online for kernel detection or downloaded and run locally to ascertain if the two flavours of Spectre and one of Meltdown have been mitigated. ®

Sign up to our NewsletterGet IT in your inbox daily

32 Comments

More from The Register

Ex-Intel exec Diane Bryant exits Google cloud

Could Chipzilla replace Brian with a Bryant?

Intel finds a cure for its software security pain: Window Snyder

Microsoft, Mozilla veteran will also handle external researcher work

Intel confirms it’ll release GPUs in 2020

They sell like hot cakes so why wouldn’t Chipzilla want in?

Intel's still-in-beta drone flight planning software gets update

Chipzilla is doing a little aviating of its own, we see

Intel gives Broadwells and Haswells their Meltdown medicine

Chipzilla and Oracle are working their way back through time to deliver fixes

Micron, Intel consciously uncouple 3D NAND development

Will continue to work on 3D XPoint together

Intel to Tsinghua: I know Micron didn't work out – please buy our 3D NAND

The China Syndrome

Intel CEO Brian Krzanich quits biz after fling with coworker rumbled

Top chip boss broke rules by having 'consensual relationship' with staffer, probe finds

Wanted that Windows 10 update but have an Intel SSD? Computer says no

Updated 600p and Pro 6000p devices beset by 'incompatibility issues'

Intel teases Optane DIMMS, but you may need a new Xeon first

128GB, 256GB and 512GB modules offered as new storage tier below RAM, above SSD