
Ask HN: Intel Kernel Vulnerability fix: why software not microcode - BuildTheRobots
Could someone please explain why the mitigations for the Intel CPU bug are having to be implemented in the OS rather than Microcode?<p>As it only seems to effect Intel and not AMD processors, and as the issue seems to be with the CPU not invalidating cache after a failed OP, this seems like something that would be best fixed actually on the CPU itself.<p>I assume there&#x27;s good reasons why not; if anyone could explain it would be greatly appreciated.
======
gvb
Microcode is very slow. The flaw lies in operations that you want to be as
fast as possible (caching, prefetching) so those operations are implemented as
hardcoded logic. Hardcoded logic is very fast, but impossible to change after
the CPU is created.

It is best fixed on the CPU, but it will require the CPU to be physically
changed (just a new mask if Intel is lucky) to fix it at the CPU level.

~~~
BuildTheRobots
Thank you for the info.

I have noticed that there is actually a microcode update published today
(through centos/rhel at least) so it looks like there's some firmware
mitigation on the go.

~~~
gvb
Yeah, I think I was right and wrong. Right in that the microcode cannot fix
the problem but wrong in that the microcode can disable the problematic
features (speculative execution, ???) to foil the attack. Unfortunately, that
will be a significant and forever performance hit for existing processors.

It makes sense that the features can be enabled and disabled via microcode.

