In a posting. Mark Papermaster, AMD’s CTO, admitted Google Project Zero (GPZ) Variant 1 (Bounds Check Bypass or Spectre) is applicable to AMD processors. But, Papermaster wrote, “We believe this threat can be contained with an operating system (OS) patch and we have been working with OS providers to address this issue.”
Of course, there was only one little problem with this fix: The first Microsoft Windows 10 patch bricked some PCs running older AMD processors. Specifically these are Opteron, Athlon and AMD Turion X2 CPUs. Papermaster said, “We are working closely with them to correct an issue that paused the distribution of patches for some older AMD processors (AMD Ultra families) earlier this week. We expect this issue to be corrected shortly and Microsoft should resume updates for these older processors by next week.”
The real change in AMD’s position is with GPZ Variant 2 (Branch Target Injection or Spectre). AMD admits their processors might be attackable by this route, but “AMD’s processor architectures make it difficult to exploit Variant 2.” So, out of an abundance of caution AMD will be making optional micro code updates available to further contain the threat.
“AMD will also continue to work closely with the industry on this threat. We have defined additional steps through a combination of processor microcode updates and OS patches that we will make available to AMD customers and partners to further mitigate the threat.”
This will be done first by making optional microcode updates for Ryzen and EPYC processors starting this week. They will follow this up with updates available for previous generation products over the coming weeks. These updates will be provided to users by system providers and operating system vendors.
Linux is already releasing AMD patches, while AMD is “working closely with Microsoft on the timing for distributing their patches. We are also engaging closely with the Linux community on development of “return trampoline” (Retpoline) software mitigations.”
GPZ Variant 3 (Meltdown) doesn’t affect AMD processors. As Thomas Lendacky, AMD software engineer and Linux kernel developer, wrote on the Linux Kernel Mailing List (LKML), “AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against.” Therefore on AMD systems, sysadmins should disable this feature. If they don’t, their systems will suffer from the system slowdown that comes with the Meltdown patches without improving security.
As for AMD’s Radeon GPUs, don’t worry about it. Radeon “architectures do not use speculative execution and thus are not susceptible to these threats.”
So, yes, AMD processors are safer than the chip families — Intel, POWER, ARM — affected by Meltdown. Just don’t assume they’re perfectly safe. They’re not.
Finally, keep in mind we’re still in the early days of dealing with these fundamentally different security problems. We will see further related security problems popping up.