Shortly after Red Hat stopped providing microcode to address variant 2 (branch target injection) of the Spectre attack, Intel has advised OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current firmware updates that fix the same vulnerability (CVE-2017-5715).
Red Hat’s decision
“Red Hat is no longer providing microcode to address Spectre, variant 2, due to instabilities introduced that are causing customer systems to not boot. The latest microcode_ctl and linux-firmware packages are reverting these unstable microprocessor firmware changes to versions that were known to be stable and well tested, released prior to the Spectre/Meltdown embargo lift date on Jan 3rd,” Red Hat announced last week.
The microcode that Red Hat stopped providing is not of their making. These patches are provided and developed by CPU makers (Intel, AMD, Arm, etc.).
“The microcode that was supplied to us did not cover all of the microprocessors that our customers possibly could use. It appears, subsequently, there may have been two versions that could have some regressions,” Christopher Robinson, product security manager at Red Hat, told Data Center Knowledge.
“We’ve historically been kind of a middleman in supplying [microcode]. Right now, because we don’t have a complete repository of all the updated microcode software, it’s just easier for our subscribers to go straight to the source and grab the microcode update from their silicon provider.”
Intel’s update on the situation
And now Intel instructed all customers to hold off on deploying current versions of the firmware updates, “as they may introduce higher than expected reboots and other unpredictable system behavior.”
“We have now identified the root cause for Broadwell and Haswell platforms, and made good progress in developing a solution to address it. Over the weekend, we began rolling out an early version of the updated solution to industry partners for testing, and we will make a final release available once that testing has been completed,” Navin Shenoy, Intel VP and general manager of the Data Center Group at Intel Corporation, announced on Monday.
He asked industry partners to focus efforts on testing early versions of the updated solution so Intel can accelerate its release.
Intel also provided a handy table that shows which microcode updates should be avoided, depending on the underlying processors.
HP has reacted quickly to the announcement and removed system ROMs that include impacted microcodes from the HPE Support Site. They advised users to revert to earlier System ROM versions while they wait for new ones that include new Intel microcodes.