
Intel won’t release Spectre patches for some older chips after all - awiesenhofer
https://liliputing.com/2018/04/intel-wont-release-spectre-patches-for-some-older-chips-after-all.html
======
DCKing
The support list [1] is weird. Gulftown (Core i7) and Westmere-EP (Xeon) are
essentially the same chips yet only the latter is patched. The distinction
between Gulftown and Westmere-EP actually was barely ever made until now. And
Intel's confusing product line has lasted until today - the Xeon W3690 is
apparently Gulftown (the only Xeon) and is not patched [2], yet the Xeon W3670
and W3680 are Westmere-EP and will receive their microcode updates [3].

According to this document, make sure to read your CPU's model numbers
carefully. It doesn't reflect well on Intel that the line does _not_ appear to
be drawn based on technical capability, but apparently on contractual
obligations.

Many CPUs in the unsupported list still make very serviceable hardware in
2018. It's a shame a security issue will only add to their obsoletion, or make
people using this hardware more vulnerable. Spectre variant 2 is difficult to
exploit in practice, but that sounds like some famous last words.

[1]: [https://newsroom.intel.com/wp-
content/uploads/sites/11/2018/...](https://newsroom.intel.com/wp-
content/uploads/sites/11/2018/04/microcode-update-guidance.pdf)

[2]: On page 8

[3]: On page 16

~~~
chao-
That the W3690 is not the same uarch as the W3670 and W3680 is weird as all
hell. Even weirder that it differs from the X5690, to which it is almost
identical. Did they start selling the W3690 before the other Xeon W-series
SKUs?

Saw the headline and my heart sank, but I got a lucky dodge on this. Bought a
W3680 because at the time, I couldn't find a W3690 at a reasonable price (from
what I could tell they were a top choice for people refreshing their Mac
Pros?). Maybe I'll squeeze another 7 years from this X58 machine yet!

~~~
blacksmith_tb
Sigh, I put a W3690 in an old Mac Pro a couple of years ago, and it's been
working nicely. Now time for plan B...

~~~
justinclift
Just make sure to get a processor that's not Intel. No need to reward them for
bad behaviour.

~~~
ibotty
That's going to be hard without changing the mainboard, which will most likely
not make it easy to (continue? to) run MacOS.

~~~
justinclift
Good point. For me it's not an issue as I barely use OSX any more.

But for people wedded to that platform... not much room to move. :/

------
ken
This list includes the base model CPU in the 2009, 2010, and 2012 Mac Pros, as
well as some of the BTO upgrades. I'm disappointed, but not surprised.

The 2012 Mac Pros, in particular, were still being sold less than 5 years ago,
so this means it's still officially supported by Apple. I wonder if there's
some awkward conversations happening between the two companies about that.

Fortunately, it's possible to upgrade the CPU in a Mac Pro to a newer part
which is still supported by Intel.

~~~
SparkleBunny
I think the "awkward conversations" are already over:

[https://news.ycombinator.com/item?id=16737072](https://news.ycombinator.com/item?id=16737072)

------
jumelles
I think this means we've only seen the beginning of the full effects of
Spectre. I'm expecting consequences for years to come.

------
yborg
This list includes the Penryns used in most Mac laptops and the Mac Minis up
to ~2010 vintage. I still use mine to host various Internet-facing utility
services, which it does handily.

------
chapill
So, all the Libreboot laptops are done. Frog boiled.

Freedom's last holdout now are Coreboot ARM machines like the latest ARM
Chromebooks.

~~~
SparkleBunny
RISC-V: A new hope

~~~
colejohnson66
Until you can run x86_64 at native speeds, replacing it will take a long time.

~~~
chapill
[https://youtu.be/Ii_pEXKKYUg?t=5m16s](https://youtu.be/Ii_pEXKKYUg?t=5m16s)

RISC-V is already faster. It just needs better fabs.

~~~
colejohnson66
I already knew RISC-V was/is faster in benchmarks. But does that translate to
transparently emulating x86_64 for the majority of use cases?

------
tomxor
Oh fucking great... my CPU's on the list, they didn't ask me but apparently I
don't mind someone stealing all of my credentials from my main computer...
what kind of BS non user said that.

I will never buy another Intel CPU, fuck you very much Intel.

If you have an old macbook you might want to check that list, the various
flavours of C2Duos on that list were pretty common.

------
slavik81
The Bloomfield i7s are still perfectly serviceable processors. People will
almost certainly continue using them unpatched.

------
compsciphd
My Q6600 based desktop (g0 stepping) died right before all this news came out
after a decade of dedicated use. Guess it would have had to be retired
anyways.

------
bitmapbrother
Has AMD released Spectre patches for all of their old chips? I'm guessing they
haven't so it looks likes Intel has company.

~~~
Paianni
If I'm not mistaken, the weaknesses of AMD processors with regards to Spectre
were less pronounced than Intel's, so maybe they could get by.

~~~
bitmapbrother
According to Wikipedia, AMD CPU's are just as vulnerable to Spectre variant 1
and 2 as is Intel. The confusion that AMD was not vulnerable to variant 2 was
due to a mistake made by AMD and later corrected by them 9 days later after
verifying they were also vulnerable to variant 2.

 _AMD originally acknowledged vulnerability to one of the Spectre variants
(GPZ variant 1), but stated that vulnerability to another (GPZ variant 2) had
not been demonstrated on AMD processors, claiming it posed a "near zero risk
of exploitation" due to differences in AMD architecture. In an update nine
days later, AMD said that "GPZ Variant 2…is applicable to AMD processors" and
defined upcoming steps to mitigate the threat. Several sources took AMD's news
of the vulnerability to GPZ variant 2 as a change from AMD's prior claim,
though AMD maintained that their position had not changed._

~~~
goisa
Their position didn't change. AMD architecture simply doesn't prefetch data
that requires elevated permissions to execute.

------
antisthenes
Unfortunate, but not unexpected.

A shame about Bloomfield and Gulftown, but the rest of the products seem to be
firmly in the legacy/obsolete category.

~~~
eropple
Bloomfield's a decade old, Gulftown only moderately less. I'm pretty sure I'd
put them in the legacy category today (and I have a 975 around here, so I'm a
little bummed, but I get it).

