VMware pulling Intel specter patches

[Cy Schubert]

Might we be jumping the gun with updated firmware in devcpu-data?

https://www.reddit.com/r/sysadmin/comments/7qjnfx/vmware_pulled_spectre_patches_on_friday/

---
Sent using a tiny phone keyboard.
Apologies for any typos and autocorrect.
Also, this old phone only supports top post. Apologies.

Cy Schubert
<Cy.Sc...@cschubert.com> or <c...@freebsd.org>
The need of the many outweighs the greed of the few.
---
_______________________________________________
freebsd-...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-securi...@freebsd.org"

[Shawn Webb]

On Tue, Jan 16, 2018 at 09:18:47AM -0800, Cy Schubert wrote:
> Might we be jumping the gun with updated firmware in devcpu-data?
>
> https://www.reddit.com/r/sysadmin/comments/7qjnfx/vmware_pulled_spectre_patches_on_friday/

From what I understand, the new Intel microcode only makes sense if
retpoline is used. On Skylake and above, retpoline by itself isn't
100% effective against Spectre. On those systems, retpoline requires
the new Intel microcode update along with enabling the new IBRS
feature that comes with it.

Simply updating the microcode on Intel systems doesn't really do much
on its own.

Granted, I could have misread and be completely wrong. Please let me
know if I am.

Thanks,

--
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

Tor-ified Signal: +1 443-546-8752
GPG Key ID: 0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE