Intel Continues Working On New ISA Extensions To Help Fight Speculation Vulnerabilities

In addition to making public new security advisories this Patch Tuesday requiring updated CPU microcode, Intel also issued a press statement about their ongoing fight against speculation vulnerabilities with their processors.

Martin Dixon, an Intel Fellow and VP of the Intel Security Architecture and Engineering Group, penned a post about their continued work against transient execution vulnerabilities and the improvements they are still working on for future Intel CPUs to provide better defenses.

While there are software/hardware/microcode mitigations out there for known speculation vulnerabilities, Intel continues their research in this area (as do many external security researchers) as Intel does acknowledge "we expect it to remain a persistent focus area for researchers and the computer industry."

Emphasized in their blog post is that there will new ISA extensions coming with future CPUs to further allow more defenses against speculation vulnerabilities that will either end up being tailored within code of application or kernel developers or potentially in some cases automatically added by compilers. Of the ISA work in their fight against speculation vulnerabilities, it's mentioned:

Meanwhile, we have not been sitting still on enhancing our future products. Not only have we built additional capabilities into the microarchitectures, but we are also adding new instruction set architecture (ISA) extensions. We believe the software-hardware contract needs to evolve to indicate more intent to the hardware. Perhaps to misappropriate Robert Frost, “Good fences make good neighbors.” In a similar sense, we are working with our ecosystem partners to enhance the instruction set to indicate where security boundaries might exist.

Under this new paradigm, software uses security-augmented ISA extensions to convey security intent. For example, Hypervisor-managed linear address translation (HLAT) is an efficient solution to help protect the kernel. While there are fencing operations available today in our architectures, we are adding a new serialization instruction that allows a graceful pause of speculation. These new operations will be available shortly in our product line.

As for the new instruction mentioned in the post, they are seemingly reference the new SERIALIZE instruction and will be found with next-gen Core "Alder Lake" and Xeon "Sapphire Rapids" processors. At least on the Linux front, Intel has already been getting the SERIALIZE support into place as we have covered in a number of articles already.

The post also reaffirms Intel's support for working with programming languages, compilers, and other parties for engaging with them on these new additions over just adding new ISA extensions and calling it a day, "To accelerate the development of new ISA extensions, Intel invests in programming languages, compilers and tools to understand how software security properties can be captured by the ISA. At the same time, we are hardening hardware below the ISA boundary to provide mitigations at the CPU level."

Those wanting to read this update on Intel's work against speculation vulnerabilities can find today's post on the Intel Newsroom.