Techies are scratching their heads after Red Hat pulled a CPU microcode update that was supposed to mitigate variant two of the Spectre design flaw in Intel and AMD processors.
This U-turn follows VMware, Lenovo, and other vendors, stalling on rolling out microcode patches after Intel admitted its firmware caused systems to fall over. It says it is working on better microcode.
In a note to IT departments, Red Hat confirmed the latest version of its microcode_ctl package will not contain any solution for CVE-2017-5715, aka Spectre variant two, a processor security blunder we previously detailed here.
That's because the Spectre workaround in the microcode was causing systems to become unbootable. Here's a key part of the letter to customers, seen by El Reg:
Latest microcode_ctl package will not contain mitigation for CVE-2017-5715 (Spectre, Variant 2)
Historically, for certain systems, Red Hat has provided updated microprocessor firmware, developed by our microprocessor partners, as a customer convenience. Further testing has uncovered problems with the microcode provided along with the “Spectre” CVE-2017-5715 mitigation that could lead to system instabilities. As a result, Red Hat is providing a microcode update that reverts to the last known and tested microcode version dated before 03 January 2018 and does not address “Spectre” CVE-2017-5715.
To fully mitigate the vulnerability, peeps using AMD Zen and Intel Skylake-, Broadwell- and Haswell-powered kit should obtain and install microprocessor firmware direct from their hardware vendors, along with the latest kernel packages from Red Hat.
Which, er, sounds like Red Hat has given up and, to avoid any blame, has told its customers to just get whatever firmware your CPU maker is offering. And if it works, it works, and if it makes your box fall over, uh, don't look at Red Hat. Here's the next part of the customer note:
In order to mitigate “Spectre” CVE-2017-5715 fully, Red Hat strongly recommends that customers contact their hardware provider for the latest microprocessor firmware updates.
Red Hat Security is currently recommending that subscribers contact their CPU OEM vendor to download the latest microcode/firmware for their processor.
The latest microcode_ctl and linux-firmware packages from Red Hat do not include resolutions to the CVE-2017-5715 (variant 2) exploit. Red Hat is no longer providing microcode to address Spectre, variant 2, due to instabilities introduced that are causing customer systems to not boot.
The latest microcode_ctl and linux-firmware packages are reverting these unstable microprocessor firmware changes to versions that were known to be stable and well tested, released prior to the Spectre/Meltdown embargo lift date on Jan 3rd. Customers are advised to contact their silicon vendor to get the latest microcode for their particular processor.
A senior techie who spoke to us on condition of anonymity said it was “now a bit harder to see what we need to do to protect our systems.”
“Do we need hardware vendor patches, BIOS patches or what? Then manually add Intel Raw firmware patches to the OS? A real mess if you ask me,” our contact added.
Red Hat’s Customer Portal Labs has published a Spectre and Meltdown detector for the Enterprise Linux 5 or later edition, which can be used online for kernel detection or downloaded and run locally to ascertain if the two flavours of Spectre and one of Meltdown have been mitigated. ®