Microcode mitigations trigger system wobbles, penguinistas warn
This U-turn follows VMware, Lenovo, and other vendors, stalling on rolling out microcode patches after Intel admitted its firmware caused systems to fall over. It says it is working on better microcode.
In a note to IT departments, Red Hat confirmed the latest version of its microcode_ctl package will not contain any solution for CVE-2017-5715, aka Spectre variant two, a processor security blunder we previously detailed here.
That’s because the Spectre workaround in the microcode was causing systems to become unbootable. Here’s a key part of the letter to customers, seen by El Reg:
To fully mitigate the vulnerability, peeps using AMD Zen and Intel Skylake-, Broadwell- and Haswell-powered kit should obtain and install microprocessor firmware direct from their hardware vendors, along with the latest kernel packages from Red Hat.
Which, er, sounds like Red Hat has given up and, to avoid any blame, has told its customers to just get whatever firmware your CPU maker is offering. And if it works, it works, and if it makes your box fall over, uh, don’t look at Red Hat. Here’s the next part of the customer note:
A senior techie who spoke to us on condition of anonymity said it was “now a bit harder to see what we need to do to protect our systems.”
“Do we need hardware vendor patches, BIOS patches or what? Then manually add Intel Raw firmware patches to the OS? A real mess if you ask me,” our contact added.
Red Hat’s Customer Portal Labs has published a Spectre and Meltdown detector for the Enterprise Linux 5 or later edition, which can be used online for kernel detection or downloaded and run locally to ascertain if the two flavours of Spectre and one of Meltdown have been mitigated. ®