Intel warns against using Spectre patch due to higher reboots

  • Liam Tung (CSO Online)
  • 23 January, 2018 06:53

Intel on Monday told hardware makers and end users to stop deploying its firmware patch for Spectre CPU attack due to it causing “higher than expected reboots and other unpredictable system behavior”. 

The chip maker began investigating its patch after users reported machines were unexpectedly rebooting after installing the update. The stability issues were initially thought to be contained to older Broadwell and Haswell chips, but Intel confirmed last week it was also happening on Ivy Bridge, Sandy Bridge, Skylake, and Kaby Lake processors. 

Despite this, Intel told hardware makers to continue releasing its then current update for the Spectre Variant 2 attack CVE-2017-5715, but today its changed position, telling partners to stop.    

“We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior,” wrote Intel’s executive vice president Navin Shenoy. 

Shenoy said Intel had found the root cause of the reboot issue in Broadwell and Haswell, but doesn't appear to have answer yet for newer chips. Over the weekend it released an early version the fix for Broadwell and Haswell chips to OEMs, which it plans to release once testing is complete. Intel will provide more details about the timing of the fix for these chip architectures this week, according to its updated advisory

Intel hasn't said when fixed patches will be available for other architectures, but notes that the Broadwell and Haswell fixes should help it address the reboot problems on other platforms.

In new guidance detailing affected desktop, mobile and server chips, Intel says it’s creating an option for OEMs to use an old patch that doesn’t cause reboots but removes the mitigation for Variant 2 of the Spectre attack. This would be delivered via a BIOS update that would leave in place mitigations for Variant 1, also Spectre, and Variant 3, Meltdown. 

Variant 2 was considered the most problematic attack to mitigate. Google’s engineers found that CPU mitigations had a significant impact on the performance of current hardware. It developed a software-based mitigation for Variant 2 called Retpoline that it found does not impact performance.