Apologies in advance for semi-off-topic reply, but:
rainwarrior wrote:
I feel like Intel is about to have a very good sales year once they get a new CPU revision out. ;P
It depends on what you mean by "CPU revision". Quoting
the source referenced within this link, relevant part bolded/underlined:
Quote:
The company has "assigned some of our very best minds" to work on addressing the vulnerability that's exploited by those attacks, Krzanich said on a conference call following Intel's quarterly earnings announcement. That will result in "silicon-based" changes to the company's future chips, he said.
What many folks (including me) expect is that "future chips" doesn't mean new steppings ("new revisions") of existing CPUs, but rather a completely new CPU series. In other words: "yes, we acknowledge the problem, it is fixed in our Series 10 CPUs / Core i1337 Series, which will require you to buy a new CPU, a new motherboard, possibly new RAM, and possibly new software or OS license(s)".
What many folks (including me)
want are replacement CPUs with the bugs fixed in hardware (newer stepping), which is exactly what was done with
the FDIV bug in late 1994 and
the F00F bug in late 1997 (the latter of which could be worked around in OSes fairly easily, but Intel would only send you a newer stepping if you actually contacted them/asked for it -- no recall was done).
The severity of this problem strongly warrants either recalls or newer steppings released of existing Intel CPUs, and replacements offered for free. But the flaws affect a large range of CPUs (i.e. models no longer manufactured / EOL'd), so there would need to be a limit. My recommendation would be Ivy Bridge or newer, which is effectively 2012 and later. Older CPUs could use software-based fixes (both OS and/or BIOS/UEFI), which would suck but be better than nothing.
Fixing this problem in software is unacceptable as the performance impact is too severe: Intel's quoted numbers are substantially lower than what has been demonstrated in the real world. Furthermore, Microsoft, Ubuntu Linux, HP, and Dell have already botched patches at least once (HP and Dell botched BIOS/UEFI updates, because understanding and solving this problem in software is stupidly complicated).
Intel needs to bite the bullet and do what's right and most effective.
For what CPUs are affected -- not just Intel --
the Wikipedia article is pretty clear/thorough. You may also want to update your GPU drivers (for example, NVIDIA pushed out GPU driver updates; their GPUs are not susceptible to Meltdown or Spectre, yet they
did something anyway -- I still don't understand their statement).
The approach I've advocated is simple: if you have a single-user system which you're extremely careful/safe with (software/application-wise), or you have servers in private/segregated environments (ex. corporate private network servers which only limited/trustworthy people in your IT department have access to), then the best choice right now is to do nothing. If you run a hypervisor/HV, own/rent a VPS server/system (i.e. guest OS), have a server in the cloud (EC2, Google, Azure, etc.), have a multi-user server, or have a system where the software being used on the system cannot be trusted, or you're just simply "extremely concerned", then you should patch and do BIOS/UEFI updates (the latter is for CPU microcode; this can be done at the OS level, but as Ubuntu Linux learned, botching this is worse than doing nothing) and pray nothing starts breaking.
Have a rollback plan in place in case something goes awry (use disk imaging software prior to OS updates, back up or download the prevision revision of BIOS/UEFI, etc.).
Technology and computers are crap. Let's go do something more useful and enjoyable, like, say, fishing.
Edit: wanted to add clarification about how Meltdown and Spectre can be used in virtualised environments (i.e. VMs) and their relevant CVEs:
- Meltdown (CVE-2017-5754). VMs cannot exploit Meltdown to read memory of the hypervisor or other VMs. However, userspace processes in a VM can exploit Meltdown to read the VM kernel memory. Thus, patching Meltdown involves upgrading packages in your VM (yum update or apt-get update && apt-get dist-upgrade, followed by a reboot), so that the Linux kernel is updated to one that enables page table isolation.
- Spectre (CVE-2017-5753 and CVE-2017-5715). Both Spectre variants can theoretically be exploited by VMs to read hypervisor memory. Until security updates are applied, userspace processes in your VM will be able to read VM kernel memory even if software in the VM is patched, because the operating system updates depend on new CPU features that require CPU microcode and qemu/kvm/HV updates to be exposed to the VM.