AMD Did NOT Disable Branch Prediction With A Zen Microcode Update
With the plethora of software security updates coming out over the past few days in the wake of the Meltdown and Spectre disclosure, released by SUSE was a Family 17h "Zen" CPU microcode update that we have yet to see elsewhere... It claims to disables branch prediction, but I've confirmed with AMD that is not actually the case.
AMD did post a processor security notice where they noted their hardware was not vulnerable to variant threee / rogue data cache load, for the "branch target injection" variant that there was "near zero risk" for exploiting, and with the bounds check bypass it would be resolved by software/OS updates.
Along with the Linux kernel patches for enabling KPTI (Page Table Isolation), SUSE issued a security bulletin where they added an AMD microcode update. The bulletin mentions, "This new firmware disables branch prediction on AMD family 17h processor to mitigate a attack on the branch predictor that could lead to information disclosure from e.g. kernel memory." The AMD change-log does note this AMD microcode update is indeed for CVE-2017-5715, a.k.a. SPECTRE.
But surprisingly I have yet to see any other Linux distribution vendors promoting this new microcode_amd_fam17h.bin microcode file for disabling branch prediction on these latest AMD Ryzen/Threadripper/EPYC processors. This new Family 17h microcode file also hasn't been added as of writing to the linux-firmware.git tree.
I reached out to AMD and on Friday heard back. They wrote in an email to Phoronix that this Zen/17h microcode update does not disable branch prediction. They'll be working with SUSE to re-clarify this microcode update description... But as far as what this microcode update does in the wake of SPECTRE they have yet to clarify or why this microcode binary has yet to make it to other Linux distributions. If/when I hear anything more, I'll certainly post about it but doesn't appear to be anything as dramatic as disabling branch prediction, which could have slaughtered their CPU performance.
AMD did post a processor security notice where they noted their hardware was not vulnerable to variant threee / rogue data cache load, for the "branch target injection" variant that there was "near zero risk" for exploiting, and with the bounds check bypass it would be resolved by software/OS updates.
Along with the Linux kernel patches for enabling KPTI (Page Table Isolation), SUSE issued a security bulletin where they added an AMD microcode update. The bulletin mentions, "This new firmware disables branch prediction on AMD family 17h processor to mitigate a attack on the branch predictor that could lead to information disclosure from e.g. kernel memory." The AMD change-log does note this AMD microcode update is indeed for CVE-2017-5715, a.k.a. SPECTRE.
But surprisingly I have yet to see any other Linux distribution vendors promoting this new microcode_amd_fam17h.bin microcode file for disabling branch prediction on these latest AMD Ryzen/Threadripper/EPYC processors. This new Family 17h microcode file also hasn't been added as of writing to the linux-firmware.git tree.
I reached out to AMD and on Friday heard back. They wrote in an email to Phoronix that this Zen/17h microcode update does not disable branch prediction. They'll be working with SUSE to re-clarify this microcode update description... But as far as what this microcode update does in the wake of SPECTRE they have yet to clarify or why this microcode binary has yet to make it to other Linux distributions. If/when I hear anything more, I'll certainly post about it but doesn't appear to be anything as dramatic as disabling branch prediction, which could have slaughtered their CPU performance.
27 Comments