This is only Spectre, not Meltdown. Meltdown requires KPTI, which depends on your OS. For OSs that did not enjoy months of advanced disclosure (which is: any OS that isn't Windows, MacOS or mainline Linux), that work is ongoing and will depend on the OS. (Speaking for SmartOS/illumos, that work is reasonably far along and making promising progress -- but we don't yet have a functional prototype.)
As for Spectre, these are just the microcode updates that have the additional MSRs that allow system software to mitigate certain variants of Spectre attack against the system software itself. They are necessary, but emphatically not sufficient -- and it would disingenuous for Intel to pretend that this in any way means that 90% of systems are protected from Meltdown and Spectre.
How does one patch a CPU?
Does the update come in the form of a BIOS update? If so, then the patch still has to travel through the PC manufacturers, like when Google patches Android. Or can it be somehow applied directly?
Edit: Apparently the OS can update the CPU's microcode. No need for BIOS updates. It was even done in the past. For instance, an unrelated Windows Vista update that updates microcode: https://support.microsoft.com/en-us/help/936357/a-microcode-...
What I'm worried about is that it will be hard to avoid these security patches when you don't need them. Say you have a non-virtualized, non-shared server that only runs your own trusted code. I don't want to be forced to pay the performance penalty but it might be unavoidable without resorting to maintaining your own linux fork.
According to last weeks press release, they mean 90% of recent chips, which is far less than 90% of intel CPU's out in the wild: https://newsroom.intel.com/news-releases/intel-issues-update...
> Intel has already issued updates for the majority of processor products introduced within the past five years. By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years
It's also unclear what they mean by "introduced within" Does it mean when the product was first developed? First on sale? If I bought a new computer 3 years ago what is the likely-hood that it's CPU was "introduced" much earlier?
I wonder what will the next big security hole.
I'm becoming very pessimistic about how I can trust computers.
Computers can do amazing thing, but software seems fragile, unreliable and untrustworthy.
I have been keeping notes on paper for years now, and it doesn't look like it's going to change.
Surely he is talking about the Win/Mac/Linux kernel patches? Would seem bizarre for all the work to go on the kernels when Intel had some firmware patches up their sleeve? Also I thought Spectre is something that is unlikely to be patched in the near future.
If Intel knew about the issues on June 1, why are the patches only appearing now? I thought the point of an embargo was to let the fixes come first.
So when will chips with a fix in silicon be available?
Keep in mind, they did NOT say patches with no cost. Mostly they are adding ways to disable speculation on indirect branches. This has a cost.
I half thought he was going to talk about using ME to push updates to Intel-based machines. Thank god they have a backdoor to fix security issues! ;-)
10% equals how many billions of chips?
Any guesses as to which vulnerabilities they're going to patch? Some of them? All of them?
How do you patch a CPU remotely? Are the instructions programmable?
Have there been any reports of exploits using Meltdown/Spectre in the wild yet?
At what performance cost?
I thought they already provided a microcode update?
This is how this terrible CEO tells us about microcode fixes, at a CES speech? Or is he even talking about a microcode update, or about the patches everybody else has been losing their lives working on? What a crap response to such a huge and existential issue.
Make a web page on the Intel site with concise, real information on what's going on and what to do. We're a week into disclosure and there's still no patch for most people's servers. A patch that takes up to a 30% performance hit but may not be necessary if there's going to be a microcode fix?
I know this is just a cute speech and debate practice session for the Intel execs, but I have servers that will have to get trashed because of the slowdown patch, they will be too slow to function in their current role and will need to be replaced. This is seriously affecting my life, my work schedule and my wallet. Please have real engineers provide real information here.