Intel has released microcode update v20180108 with Meltdown/Spectre fixes

[MrBrian]

Intel has released microcode update v20180108 with Meltdown/Spectre fixes for some CPU families. Of the 94 microcodes in the previous release (v20171117), 19 have been modified in this release; I verified this with a file comparison-by-contents program. I assume that the other 75 microcodes do not yet have Meltdown/Spectre fixes, but I don’t know that for sure.

Download: https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File.

Edit: The file is now not available for download.

From the download’s release notes:

“20180108 Release

— Updates upon 20171117 release —
IVT C0        (06-3e-04:ed) 428->42a
SKL-U/Y D0    (06-4e-03:c0) ba->c2
BDW-U/Y E/F    (06-3d-04:c0) 25->28
HSW-ULT Cx/Dx    (06-45-01:72) 20->21
Crystalwell Cx    (06-46-01:32) 17->18
BDW-H E/G    (06-47-01:22) 17->1b
HSX-EX E0    (06-3f-04:80) 0f->10
SKL-H/S R0    (06-5e-03:36) ba->c2
HSW Cx/Dx    (06-3c-03:32) 22->23
HSX C0        (06-3f-02:6f) 3a->3b
BDX-DE V0/V1    (06-56-02:10) 0f->14
BDX-DE V2    (06-56-03:10) 700000d->7000011
KBL-U/Y H0    (06-8e-09:c0) 62->80
KBL Y0 / CFL D0    (06-8e-0a:c0) 70->80
KBL-H/S B0    (06-9e-09:2a) 5e->80
CFL U0        (06-9e-0a:22) 70->80
CFL B0        (06-9e-0b:02) 72->80
SKX H0        (06-55-04:b7) 2000035->200003c
GLK B0        (06-7a-01:01) 1e->22”

From https://packages.qa.debian.org/i/intel-microcode/news/20180110T100610Z.html:

” + Updated Microcodes:
sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552
sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432
sig 0x000306e4, pf_mask 0xed, 2017-12-01, rev 0x042a, size 15360
sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792
sig 0x000306f4, pf_mask 0x80, 2017-11-17, rev 0x0010, size 17408
sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528
sig 0x00040661, pf_mask 0x32, 2017-11-20, rev 0x0018, size 25600
sig 0x00040671, pf_mask 0x22, 2017-11-17, rev 0x001b, size 13312
sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328
sig 0x00050654, pf_mask 0xb7, 2017-12-08, rev 0x200003c, size 27648
sig 0x00050662, pf_mask 0x10, 2017-12-16, rev 0x0014, size 31744
sig 0x00050663, pf_mask 0x10, 2017-12-16, rev 0x7000011, size 22528
sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328
sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728
sig 0x000806e9, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304
sig 0x000806ea, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304
sig 0x000906e9, pf_mask 0x2a, 2018-01-04, rev 0x0080, size 98304
sig 0x000906ea, pf_mask 0x22, 2018-01-04, rev 0x0080, size 97280
sig 0x000906eb, pf_mask 0x02, 2018-01-04, rev 0x0080, size 98304
+ Implements IBRS/IBPB support and enhances LFENCE: mitigation against Spectre (CVE-2017-5715)
+ Very likely fixes several other errata on some of the processors”

I believe that you can check if your CPU has the Spectre/Meltdown fixes available in this release by getting its CPUID signature at http://www.cpu-world.com/cgi-bin/CPUID.pl (there is also a program at that page) and comparing with the last 5 letters/digits of the 19 sigs listed above.

These microcode updates can be applied at every startup of a Windows system by using the program at https://www.askwoody.com/forums/topic/meltdown-and-spectre-from-a-windows-users-point-of-view/#post-156348. Warning: I have no personal experience doing this. Use at your own discretion. Other options available might be BIOS/UEFI updates from your device manufacturer, and microcode updates shipped by Microsoft via Windows Update.

Another discussion thread: https://news.ycombinator.com/item?id=16111433.

2 users thanked author for this post.

Elly, Kirsty

[MrBrian]

Question from member Pim: “How serious is the risk if all other patches are applied except the BIOS patch (microcode update)?”

According to the table at https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/, the microcode updates are mitigations for CVE-2017-5715 (Spectre variant 2). According to the same link, the Windows changes for CVE-2017-5715 are “Calling new CPU instructions to eliminate branch speculation in risky situations.” The new CPU instructions are provided by the microcode updates.

According to https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html, an alternative mitigation for CVE-2017-5715 is “applying a software mitigation (e.g., Google’s Retpoline) to the hypervisor, operating system kernel, system programs and libraries, and user applications.”According to Intel’s whitepaper (https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Intel-Analysis-of-Speculative-Execution-Side-Channels.pdf), “For Intel Core processors of the
Broadwell generation and later, this retpoline mitigation strategy also requires a microcode update to be applied for the mitigation to be fully effective.”

More details about these two mitigations for CVE-2017-5715 are in Intel’s whitepaper at https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Intel-Analysis-of-Speculative-Execution-Side-Channels.pdf.

Let’s now answer Pim’s question. From https://gist.github.com/woachk/2f86755260f2fee1baf71c90cd6533e9:

“It’s [Spectre variant 2: CVE-2017-5715] fixed on Windows on Intel and AMD systems with a microcode update delivered by the OEM, using IBPB and IBRS when available. If no microcode update is done, LFENCE is implemented on Windows as a mitigation for the kernel.

[…]

On Windows, Spectre (Variant 2) is patched for user-mode applications if Intel or AMD microcode updates are applied via a BIOS/UEFI update, ask your OEM/PC manufacturer for an firmware update that adds December/January 2018 microcode. Otherwise, application-specific updates are required, and only the kernel is protected (an app can snoop on another application, or even a browser tab on your passwords and such in theory).

Warning: For Windows systems, microcode updates have to be shipped via the BIOS/UEFI to protect against Spectre (Variant 2) across applications.”

3 users thanked author for this post.

AJNorth, abbodi86, Pim

[MrBrian]

Tweet from Alex Ionescu‏: “Microcode is for spectre Variant 2. Without the update you’re nowhere on Windows because no retpoline. Variant e you are ok just slow.”

“Variant e”?

1 user thanked author for this post.

Pim

[MrBrian]

From reading Intel’s technical papers, it seems clear that Intel’s recommendation for mitigation for CVE-2017-5753 (Spectre variant 1) is that software should be changed to call the CPU’s LFENCE instruction at necessary places. What is unclear to me is if a microcode update is needed to guarantee that the CPU’s LFENCE instruction behaves in the desired manner. This link claims that recent microcode updates have this change: “LFENCE terminates all previous instructions”. I’m not sure if this is accurate or is an error. If this is accurate, then you might need a microcode update to ensure that software fixes for CVE-2017-5753 work properly. My guess though is that this is a documentation error because Intel’s technical papers don’t mention any microcode changes for LFENCE. Additionally, the Spectre paper contains this note: “After reviewing an initial draft of this paper, Intel engineers indicated that the definition of lfence will be revised to specify that it blocks speculative execution.”

1 user thanked author for this post.

Elly

[MrBrian]

Bad news for those interested in using VMware CPU Microcode Update Driver to update microcode in Windows: From https://twitter.com/SharkWipf/status/951132374515044352: “[…] Apparently the VMWare tool loads the microcode whenever the driver gets loaded, but Windows checks microcode before the driver is loaded, so it isn’t accepted by the patch. […]”

3 users thanked author for this post.

walker, abbodi86, Pim

[MrBrian]

Similar reports are at https://www.techpowerup.com/forums/threads/major-intel-cpu-hardware-vulnerability-found.240168/ and https://forums.guru3d.com/threads/windows-how-to-get-latest-cpu-microcode-without-modding-the-bios.418806/

1 user thanked author for this post.

Pim

[MrBrian]

The VMware driver has a comments page at https://labs.vmware.com/flings/vmware-cpu-microcode-update-driver#comments. I haven’t seen any solution yet.

[walker]

@Mr.Brian:  I do not understand a lot of the advice and information you post, however “I’m trying”.    Thank you once again for all of the expert help you provide for everyone.  There are a lot of our members who have the ability to follow your very knowledgeable advice.     🙂  🙂

[MrBrian]

Another option for temporarily updating the microcode: https://biosbits.org/ (found at How to update CPU’s microcode with GRUB and chainload Windows 10?). I have not tried this.

1 user thanked author for this post.

Pim

[MrBrian]

Ascaris mentioned another option for getting the microcode update: “If Intel releases the new microcode for a given CPU, it may be possible to create a BIOS update yourself. […] If you do this, it’s at your own risk!” I have seen web references to other tools that can be used to do this.

1 user thanked author for this post.

Pim

[MrBrian]

From Intel’s telling some customers to avoid its fix for the Spectre and Meltdown attacks — because of a big bug: “The giant chipmaker is giving that advice because the recently issued software update can cause its latest processors to reboot when they’re not supposed to, something the company acknowledged in a statement on Thursday.”

1 user thanked author for this post.

Pim

[MrBrian]

From the Wall Street Journal article linked to in that article (my bolding): ‘In a confidential document shared with some customers Wednesday and reviewed by The Wall Street Journal, Intel said it identified three issues in updates released over the past week for “microcode,” or firmware—software that is installed directly on the processor.’

[anonymous]

Sounds like a Defcon 1 for microcodes and firmwares.

I’m staying clear from them til guru’s like you and Woody say it’s safe or explain the how to’s.
Thanks always for your unceasing help!

3 users thanked author for this post.

rontpxz81, walker, MrBrian

[walker]

@Mr.Brian:  I thought I had left a message thanking you for all of the information which you so freely provide for all of our members.    I am not knowledgeable enough to understand a lot of this, however “I’m trying”.    Thank you again for your limitless expertise, and knowledge relevant to these complex issues (which I wish understood more).

Your messages are always read, however I just don’t have the ability to understand many of them.   I’m sure every member appreciates and is grateful for your assistance.    🙂

 

P.S.   I located the other message I sent, and will not edit it since it’s a “duplicate”.   🙂

1 user thanked author for this post.

MrBrian

[anonymous]

? says:

this just came out for ubuntu/intel and wonder if this will work properly?

https://usn.ubuntu.com/usn/usn-3531-1/

any beta testers?

[anonymous]

? says:

i guess i answered my own question from 01/12/2018

USN-3531-1 introduced regressions in intel-microcode

“At the request of Intel, we have
reverted to the previous packaged microcode version, the 20170707 release”.

2 users thanked author for this post.

rontpxz81, MrBrian

[anonymous]

So, where does this leave all of us who either bought a locally built unit from a local mom-and-pop store that’s an Intel partner and said unit has Intel chip and motherboard, OR who went out and built our own units with an Intel board and chip?

In my case, I have two such units. One has an Intel i3-2120 chip (2nd. generation core) and one has an Intel i5-750 chip (first generation core). Both units were bought from two different local mom-and-pop stores who were and still are Intel channel partners.

So far, from links posted on this site, I’ve learned that the latest microcode update released on January 8th covers BOTH of my chips, according to the lengthy list posted on Intel’s site for downloading the actual update.

With the foregoing in mind, to quote the late Clara Peller, “Where’s the beef?”… or, in other words, where’s the BIOS revisions needed to properly patch the systems? BTW, both systems are Win 7 Pro x64 boxes.

This is a great question to post to Intel for proper product support. They’re releasing revised microcode for older chips like mine, so why not build that into a BIOS update for the Intel boards they’re compatible with and likely to be installed into?

[MrBrian]

The microcodes for your two CPUs in the latest microcode file from Intel (mentioned in first post) probably do not include changes for Meltdown/Spectre.

[MrBrian]

From Intel, AMD & VIA CPU Microcode Repositories: “This is a collection of every Intel, AMD and VIA CPU microcode we have found.”

[MrBrian]

From iucode-tool:

“Updating the processor microcode is a process that can be done at any time (even with the system at full load), and as many times as required.  It is strongly recommended that microcode updates be applied during early system boot, though:

* Microcode updates should be applied as soon as possible to shorten the time window where the errata fixed by the update could still trigger;

* Some microcode updates can only be applied safely before the operating system enables more advanced processor functionality, otherwise that functionality must be disabled by the kernel (Atom PSE erratum);

* Some microcode updates disable (faulty) functionality or make other “visible” changes to the processor, and must be applied before either the kernel or applications start using that functionality (e.g. Haswell Intel TSX erratum).”

[MrBrian]

More info about the v20180108 microcodes: https://github.com/bajorgensen/Intel_microcode/blob/master/Intel_20180108.txt.

[rontpxz81]

I built my own PC – just a few days ago Gigabyte started to offer a Bios microcode update for my motherboard.

I’m skeptical due to the rush on Meltdown/Spectre fixes and don’t want to mess up my system.

Any advice?

[MrBrian]

The latest microcode updates from Intel have known issues. I recommend that home users not update their BIOS yet.

1 user thanked author for this post.

rontpxz81

[rontpxz81]

Best I can tell so far only Intel Broadwell and Haswell- I’m using an I5 Skylake.

Intel Security Issue Update: Addressing Reboot Issues

[MrBrian]

Intel says STOP installing firmware updates

1 user thanked author for this post.

rontpxz81

[rontpxz81]

Gigabyte started offering a Bios microcode update a few days ago for some of it’s motherboards like mine on my self- built PC.  Since Intel was not specific in it’s release to stop installing updates I will wait.

[MrBrian]

This file is no longer available for download.

Hat tip: user ViperJohn.

1 user thanked author for this post.

rontpxz81

[rontpxz81]

MrBrian-

Gigabyte still has it up as of today-

http://www.gigabyte.us/Motherboard/GA-H270-Gaming-3-rev-10#support-dl

1 user thanked author for this post.

MrBrian

[Author]

Posts