Microcode update for Spectre?

Question

We all know about Spectre and Meltdown, at this point. The take away is the while Meltdown can be solved/worked around with a (complex and invasive) kernel patch (namely KAISER/PTI), Spectre requires an updated microcode with advanced branch control.

Until some days ago, Red Hat shipped an updated microcode_ctl package which, in some (but not all) cases, had the appropriate microcode to patch/update (early in the boot process) the base processor microcode.

However, it seems the updated microcode causes system instability, unexpected reboot and even unbootable systems. So Red Hat reverted the microcode_ctl package to not load the microcode update needed to fix Spectre. Now their official suggestion is "to contact their silicon vendor to get the latest microcode for their particular processor".

While understandable, this stance only move the "instability provider" down from the OS to the BIOS/firmware itself.

So, my question is: how to you feel about the microcode update? Have you applied the new BIOS/firmware to production systems? Any instability to report/comment? Finally, should I wait for a new "patch round" or you advise to immediately apply the BIOS/firmware fix?

Answer 1

I don't think that's what they are actually saying. There's no mention of UEFI/BIOS updates or system vendors/motherboard vendors (although that is certainly a good option when available, and if the new microcode is working reliably).

At least to me, "Customers are advised to contact their silicon vendor to get the latest microcode for their particular processor" reads: "download and use the current microcode at your own risk, or bug Intel for a fixed version".

I also imagine that Redhat's decision is for this version with known stability issues specifically, once there is an update I would imagine that they will reevaluate (probably giving it a little more time before rolling it out to everyone).

There are other OS vendors that similarly did roll out the microcode update that have now rolled back their updates (see eg VMware's announcement).

All in all, my impression is that with the current microcode version (packaged by Intel as 20180108), it appears that there's a trade-off of "stability issues with precious little information on what triggers them" vs "possibility of spectre mitigation", and that major OS vendors seem to be taking the "stability" side while the issues are being addressed.

Answer 2

Ok, it seems that multiple vendors have retired their BIOS update, so the firmware update option is almost non-existent at the moment. For example, from DELL site:

Patch Guidance (update 2018-01-22): Intel has communicated new guidance regarding "reboot issues and unpredictable system behavior" with the microcode included in the BIOS updates released to address Spectre (Variant 2), CVE-2017-5715. Dell is advising that all customers should not deploy the BIOS update for the Spectre (Variant 2) vulnerability at this time. We have removed the impacted BIOS updates from our support pages and are working with Intel on a new BIOS update that will include new microcode from Intel.

If you have already deployed the BIOS update, in order to avoid unpredictable system behavior, you can revert back to a previous BIOS version. See the tables below.

As a reminder, the Operating System patches are not impacted and still provide mitigation to Spectre (Variant 1) and Meltdown (Variant 3). The microcode update is only required for Spectre (Variant 2), CVE-2017-5715.

This is confirmed by Intel own documentation

Basically, the only method to obtain the required ucode is to manually download it from Intel site

TL;DR: I'll wait and see for the fallout of the failed microcode update to settle. Meltdown and Spectre variant n.1 can be patched by simply updating the kernel, fortunately.