[usernam]

Can somebody shed some light in what exactly the released Intel Microcode update does aside from exposing some chicken bits? This is only marginally addressed in the "Controlling the Performance Impact" page linked above.

For example, does the update fix Meltdown in any meaningful way? If so, does it mean that "pti" should be manually disabled on a patched intel cpu to avoid _additional_ overhead?

It seems that the kernel changes being pushed do not account for the current published microcode updates.

[cesarb]

According to https://access.redhat.com/articles/3311301 PTI should be enabled on Intel even with the new microcode, so the microcode update probably doesn't fix variant 3 (Meltdown).

Also, I don't think the microcode updates just expose some chicken bits. IBRS seems to be exposing one or more chicken bits as a single bit, but IBPB seems to be a command to run a routine in the microcode to immediately clear part of the branch predictor state, not a chicken bit.

Yes, the kernel changes in the Linus tree only fix variant 3, there are several partial and/or mutually incompatible patch sets being posted on the linux kernel mailing list to fix the other variants; the Red Hat kernel seems to have an early version of some of these. See also the just posted http://kroah.com/log/blog/2018/01/06/meltdown-status/ for more detail.

[usernam]

I read both, and I can confirm that meltdown is not fixed by the microcode update alone. But I'm confused by intel claiming a fix for all three variants of exploits: I would have realistically expected a proper fix for meltdown, but it seems that intel can't really fix it in microcode.

[JdeBP]

There is a whole technical paper by Intel on this.

* https://news.ycombinator.com/item?id=16079910