With the launch of Intel’s latest 8th Generation Core mobile processors, the 15W Whiskey Lake U-series and the 5W Amber Lake Y-series, questions were left on the table as to the state of the Spectre and Meltdown mitigations. Intel had, previously in the year, promised that there would be hardware fixes for some of these issues in consumer hardware by the end of the year. Nothing was mentioned in our WHL/AML briefing, so we caught up with Intel to find out the situation.

There Are Some Hardware Mitigations in Whiskey Lake

The takeaway message from our discussions with Intel is that there are some hardware mitigations in the new Whiskey Lake processors. In fact, there are almost as many as the upcoming Cascade Lake enterprise parts. Intel told us that while the goal was to be transparent in general with how these mitigations were being fixed - we think Intel misread the level of interest in the specifics in advance of the Whiskey Lake launch, especially when the situation is not a simple yes/no.

For the mitigations, here is the current status:

Spectre and Meltdown on Intel
AnandTech Cascade
Lake
Whiskey
Lake
Amber
Lake
Spectre Variant 1 Bounds Check Bypass OS/VMM OS/VMM OS/VMM
Spectre Variant 2 Branch Target Injection Hardware + OS Firmware + OS Firmware + OS
Meltdown Variant 3 Rogue Data Cache Load Hardware Hardware Firmware
Meltdown Variant 3a Rogue System Register Read Firmware Firmware Firmware
  Variant 4 Speculative Store Bypass Firmware + OS Firmware + OS Firmware + OS
  Variant 5 L1 Terminal Fault Hardware Hardware Firmware

What this means is that Whiskey Lake is a new spin of silicon compared to Kaby Lake Refresh, but is still built on that Kaby Lake microarchitecture. Intel confirmed to us that Whiskey Lake is indeed built on the 14++ process node technology, indicating a respin of silicon.

As a result, both CPU families have the all-important (and most performance degrading) Meltdown vulnerability fixed. What remains unfixed in Whiskey Lake and differentiates it from Cascade Lake CPUs is Spectre variant 2, the Branch Target Injection. This vulnerability has its own performance costs when mitigated in software, and it has taken longer to develop a hardware fix.

What About Amber Lake?

The situation with Amber Lake is a little different. Intel confirmed to us that Amber Lake is still Kaby Lake – including being built on the 14+ process node – making it identical to Kaby Lake Refresh as far as the CPU die is concerned. In essence, these parts are binned to go within the 5W TDP at base frequency. But as a result, Amber Lake shares the same situation as Kaby Lake Refresh: all side channel attacks and mitigations are done in firmware and operating system fixes. Nothing in Amber Lake is protected against in hardware.

Performance

The big performance marker is tackling Spectre Variant 2. When fixed in software, Intel expects a 3-10% drop in performance depending on the workload – when fixed in hardware, Intel says that performance drop is a lot less, but expects new platforms (like Cascade Lake) to offer better overall performance anyway. Neither Whiskey Lake nor Amber Lake have mitigations for v2, but Whiskey Lake is certainly well on its way with fixes to some of the more dangerous attacks, such as v3 and L1TF. Whiskey Lake is also offering new performance bins as the platform is also on 14++, which will help with performance and power.

Intel’s Disclosure in the Future

Speaking with Intel, it is clear (and they recognise) that they appreciate the level of interest in the scope of these fixes. We’re pushing hard to make sure that with all future launches, detailed tables about the process of fixes will occur. Progress on these issues, if anything, is a good thing.

Related Reading

Title image from PC Watch

POST A COMMENT

107 Comments

View All Comments

  • Ratman6161 - Friday, August 31, 2018 - link

    "I don't think that it's the job of a tech journalist to ensure..."

    My department (IT) picks which systems we are going to buy and we have a separate Information Security office that rides heard on us. Upper management rightfully puts the responsibility on us to buy the right systems and keep them patched and updated. That's why our departments (IT and Security) exist. If the C-Level has to tell us what to do then we are on our way to being unemployed. That's how it works in "real business".
    Reply
  • N Zaljov - Saturday, September 1, 2018 - link

    I never assumed anything different at all, but thanks for adding that. Your company seems to do the exact right thing: Distribution of responsibilities by delegating tasks to departments that actually know what they're doing and (most importantly) clear communication, not only between the departments, but also with the C-level execs.

    The fact that the company you're working for even has its own Infosec officer speaks proof enough. I've spent quite some time working for and with companies all over Europe, and the vast majority of small-to-medium (I'm talking about 10-50 employees, not really "medium" for people living in the US or Canada) enterprises don't even have proper guidelines for Infosec, let alone an Infosec officer or an entire department. It's absolutly atrocious.
    Reply
  • Zan Lynx - Thursday, August 30, 2018 - link

    If your computers only run your code, like a database server or a web backend, then you don't have to worry about these attacks. It only becomes a problem when someone else can run code on the machine, like browser Javascript, Java applets, Flash, or if some malicious attacker breaks in via an application vulnerability.

    Mostly if someone breaks into your server and gets access, you have other things to worry about. And you should definitely notice before they have time to run a Spectre attack to steal your SSL private keys.
    Reply
  • The_Assimilator - Friday, August 31, 2018 - link

    If your management is too dumb to address critical security vulnerabilities, find somewhere else to work. Reply
  • zlandar - Friday, August 31, 2018 - link

    Depends on your company.

    If you work for a small company that doesn't deal with sensitive financial or personal information the risk your company will be specifically targeted is extremely low.

    If you work for Equifax your boss better be paranoid as f--- because the whole world is trying to break in 24/7.
    Reply
  • Makaveli - Saturday, September 1, 2018 - link

    Don't worry Icehawk, when they get a serious enough data breach management will all be looking for new jobs. And the next group coming in won't make that mistake. Reply
  • DeepLearner - Thursday, August 30, 2018 - link

    This is hilarious. I read this site because I work for a fintech company (I think games are cool but don't game myself) that uses a ton of high end hardware. I am immediately interested in hardware exploits. yeeeeman, if you think "real businesses" aren't an important audience for a site like this, you should see our budget (I won't disclose it tho lol). Reply
  • imaheadcase - Thursday, August 30, 2018 - link

    To be fair most businesses don't care about it. I mean walmart, the biggest retail chain in the USA leaves its server doors open because quote "it just gets to hot". hundreds of people walk by the doors every day and can just waltz into the room and do whatever they want.

    Hell even the training AIO computers have a Windows 7 and windows XP product codes taped to them so easy to reinstall the OS.

    So to get any company to care he has a point.
    Reply
  • Reflex - Thursday, August 30, 2018 - link

    What risk does having the product codes on the outside of the PC create? For WinXP, none since the codes are in use and attempts to use them again will fail. For Win7 none, as the license is tied to the hardware and attempts to activate that code will fail.

    Also, where did you get that bit about walmart having doors to the 'server rooms' open because its hot?
    Reply
  • imaheadcase - Thursday, August 30, 2018 - link

    Its enterprise codes, they are not limited by devices.

    I work at walmart is how i know.
    Reply

Log in

Don't have an account? Sign up now