News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Intel has released microcode update v20180108 with Meltdown/Spectre fixes

    Posted on MrBrian Comment on the AskWoody Lounge

    Home Forums AskWoody support PC hardware Intel has released microcode update v20180108 with Meltdown/Spectre fixes

    This topic contains 27 replies, has 4 voices, and was last updated by  rontpxz81 1 year, 10 months ago.

    • Author
      Posts
    • #158148 Reply

      MrBrian
      AskWoody_MVP

      Intel has released microcode update v20180108 with Meltdown/Spectre fixes for some CPU families. Of the 94 microcodes in the previous release (v20171117), 19 have been modified in this release; I verified this with a file comparison-by-contents program. I assume that the other 75 microcodes do not yet have Meltdown/Spectre fixes, but I don’t know that for sure.

      Download: https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File.

      Edit: The file is now not available for download.

      From the download’s release notes:

      “20180108 Release

      — Updates upon 20171117 release —
      IVT C0        (06-3e-04:ed) 428->42a
      SKL-U/Y D0    (06-4e-03:c0) ba->c2
      BDW-U/Y E/F    (06-3d-04:c0) 25->28
      HSW-ULT Cx/Dx    (06-45-01:72) 20->21
      Crystalwell Cx    (06-46-01:32) 17->18
      BDW-H E/G    (06-47-01:22) 17->1b
      HSX-EX E0    (06-3f-04:80) 0f->10
      SKL-H/S R0    (06-5e-03:36) ba->c2
      HSW Cx/Dx    (06-3c-03:32) 22->23
      HSX C0        (06-3f-02:6f) 3a->3b
      BDX-DE V0/V1    (06-56-02:10) 0f->14
      BDX-DE V2    (06-56-03:10) 700000d->7000011
      KBL-U/Y H0    (06-8e-09:c0) 62->80
      KBL Y0 / CFL D0    (06-8e-0a:c0) 70->80
      KBL-H/S B0    (06-9e-09:2a) 5e->80
      CFL U0        (06-9e-0a:22) 70->80
      CFL B0        (06-9e-0b:02) 72->80
      SKX H0        (06-55-04:b7) 2000035->200003c
      GLK B0        (06-7a-01:01) 1e->22”

      From https://packages.qa.debian.org/i/intel-microcode/news/20180110T100610Z.html:

      ” + Updated Microcodes:
      sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552
      sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432
      sig 0x000306e4, pf_mask 0xed, 2017-12-01, rev 0x042a, size 15360
      sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792
      sig 0x000306f4, pf_mask 0x80, 2017-11-17, rev 0x0010, size 17408
      sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528
      sig 0x00040661, pf_mask 0x32, 2017-11-20, rev 0x0018, size 25600
      sig 0x00040671, pf_mask 0x22, 2017-11-17, rev 0x001b, size 13312
      sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328
      sig 0x00050654, pf_mask 0xb7, 2017-12-08, rev 0x200003c, size 27648
      sig 0x00050662, pf_mask 0x10, 2017-12-16, rev 0x0014, size 31744
      sig 0x00050663, pf_mask 0x10, 2017-12-16, rev 0x7000011, size 22528
      sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328
      sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728
      sig 0x000806e9, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304
      sig 0x000806ea, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304
      sig 0x000906e9, pf_mask 0x2a, 2018-01-04, rev 0x0080, size 98304
      sig 0x000906ea, pf_mask 0x22, 2018-01-04, rev 0x0080, size 97280
      sig 0x000906eb, pf_mask 0x02, 2018-01-04, rev 0x0080, size 98304
      + Implements IBRS/IBPB support and enhances LFENCE: mitigation against Spectre (CVE-2017-5715)
      + Very likely fixes several other errata on some of the processors”

      I believe that you can check if your CPU has the Spectre/Meltdown fixes available in this release by getting its CPUID signature at http://www.cpu-world.com/cgi-bin/CPUID.pl (there is also a program at that page) and comparing with the last 5 letters/digits of the 19 sigs listed above.

      These microcode updates can be applied at every startup of a Windows system by using the program at https://www.askwoody.com/forums/topic/meltdown-and-spectre-from-a-windows-users-point-of-view/#post-156348. Warning: I have no personal experience doing this. Use at your own discretion. Other options available might be BIOS/UEFI updates from your device manufacturer, and microcode updates shipped by Microsoft via Windows Update.

      Another discussion thread: https://news.ycombinator.com/item?id=16111433.

      2 users thanked author for this post.
    • #158220 Reply

      MrBrian
      AskWoody_MVP

      Question from member Pim: “How serious is the risk if all other patches are applied except the BIOS patch (microcode update)?”

      According to the table at https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/, the microcode updates are mitigations for CVE-2017-5715 (Spectre variant 2). According to the same link, the Windows changes for CVE-2017-5715 are “Calling new CPU instructions to eliminate branch speculation in risky situations.” The new CPU instructions are provided by the microcode updates.

      According to https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html, an alternative mitigation for CVE-2017-5715 is “applying a software mitigation (e.g., Google’s Retpoline) to the hypervisor, operating system kernel, system programs and libraries, and user applications.”According to Intel’s whitepaper (https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Intel-Analysis-of-Speculative-Execution-Side-Channels.pdf), “For Intel Core processors of the
      Broadwell generation and later, this retpoline mitigation strategy also requires a microcode update to be applied for the mitigation to be fully effective.”

      More details about these two mitigations for CVE-2017-5715 are in Intel’s whitepaper at https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Intel-Analysis-of-Speculative-Execution-Side-Channels.pdf.

      Let’s now answer Pim’s question. From https://gist.github.com/woachk/2f86755260f2fee1baf71c90cd6533e9:

      “It’s [Spectre variant 2: CVE-2017-5715] fixed on Windows on Intel and AMD systems with a microcode update delivered by the OEM, using IBPB and IBRS when available. If no microcode update is done, LFENCE is implemented on Windows as a mitigation for the kernel.

      […]

      On Windows, Spectre (Variant 2) is patched for user-mode applications if Intel or AMD microcode updates are applied via a BIOS/UEFI update, ask your OEM/PC manufacturer for an firmware update that adds December/January 2018 microcode. Otherwise, application-specific updates are required, and only the kernel is protected (an app can snoop on another application, or even a browser tab on your passwords and such in theory).

      Warning: For Windows systems, microcode updates have to be shipped via the BIOS/UEFI to protect against Spectre (Variant 2) across applications.”

      3 users thanked author for this post.
      • #158668 Reply

        MrBrian
        AskWoody_MVP

        Tweet from Alex Ionescu‏: “Microcode is for spectre Variant 2. Without the update you’re nowhere on Windows because no retpoline. Variant e you are ok just slow.”

        “Variant e”?

        1 user thanked author for this post.
        Pim
      • #159450 Reply

        MrBrian
        AskWoody_MVP

        From reading Intel’s technical papers, it seems clear that Intel’s recommendation for mitigation for CVE-2017-5753 (Spectre variant 1) is that software should be changed to call the CPU’s LFENCE instruction at necessary places. What is unclear to me is if a microcode update is needed to guarantee that the CPU’s LFENCE instruction behaves in the desired manner. This link claims that recent microcode updates have this change: “LFENCE terminates all previous instructions”. I’m not sure if this is accurate or is an error. If this is accurate, then you might need a microcode update to ensure that software fixes for CVE-2017-5753 work properly. My guess though is that this is a documentation error because Intel’s technical papers don’t mention any microcode changes for LFENCE. Additionally, the Spectre paper contains this note: “After reviewing an initial draft of this paper, Intel engineers indicated that the definition of lfence will be revised to specify that it blocks speculative execution.”

        1 user thanked author for this post.
    • #158368 Reply

      MrBrian
      AskWoody_MVP

      Bad news for those interested in using VMware CPU Microcode Update Driver to update microcode in Windows: From https://twitter.com/SharkWipf/status/951132374515044352: “[…] Apparently the VMWare tool loads the microcode whenever the driver gets loaded, but Windows checks microcode before the driver is loaded, so it isn’t accepted by the patch. […]”

      3 users thanked author for this post.
    • #158426 Reply

      MrBrian
      AskWoody_MVP

      Another option for temporarily updating the microcode: https://biosbits.org/ (found at How to update CPU’s microcode with GRUB and chainload Windows 10?). I have not tried this.

      1 user thanked author for this post.
      Pim
    • #158435 Reply

      MrBrian
      AskWoody_MVP

      Ascaris mentioned another option for getting the microcode update: “If Intel releases the new microcode for a given CPU, it may be possible to create a BIOS update yourself. […] If you do this, it’s at your own risk!” I have seen web references to other tools that can be used to do this.

      1 user thanked author for this post.
      Pim
    • #158687 Reply

      MrBrian
      AskWoody_MVP

      From Intel’s telling some customers to avoid its fix for the Spectre and Meltdown attacks — because of a big bug: “The giant chipmaker is giving that advice because the recently issued software update can cause its latest processors to reboot when they’re not supposed to, something the company acknowledged in a statement on Thursday.”

      1 user thanked author for this post.
      Pim
      • #158691 Reply

        MrBrian
        AskWoody_MVP

        From the Wall Street Journal article linked to in that article (my bolding): ‘In a confidential document shared with some customers Wednesday and reviewed by The Wall Street Journal, Intel said it identified three issues in updates released over the past week for “microcode,” or firmware—software that is installed directly on the processor.’

      • #158791 Reply

        anonymous

        Sounds like a Defcon 1 for microcodes and firmwares.

        I’m staying clear from them til guru’s like you and Woody say it’s safe or explain the how to’s.
        Thanks always for your unceasing help!

        3 users thanked author for this post.
      • #159183 Reply

        walker
        AskWoody Lounger

        @Mr.Brian:  I thought I had left a message thanking you for all of the information which you so freely provide for all of our members.    I am not knowledgeable enough to understand a lot of this, however “I’m trying”.    Thank you again for your limitless expertise, and knowledge relevant to these complex issues (which I wish understood more).

        Your messages are always read, however I just don’t have the ability to understand many of them.   I’m sure every member appreciates and is grateful for your assistance.    🙂

         

        P.S.   I located the other message I sent, and will not edit it since it’s a “duplicate”.   🙂

        1 user thanked author for this post.
    • #158815 Reply

      anonymous

      ? says:

      this just came out for ubuntu/intel and wonder if this will work properly?

      https://usn.ubuntu.com/usn/usn-3531-1/

      any beta testers?

      • #161063 Reply

        anonymous

        ? says:

        i guess i answered my own question from 01/12/2018

        USN-3531-1 introduced regressions in intel-microcode

        “At the request of Intel, we have
        reverted to the previous packaged microcode version, the 20170707 release”.

        2 users thanked author for this post.
    • #159180 Reply

      anonymous

      So, where does this leave all of us who either bought a locally built unit from a local mom-and-pop store that’s an Intel partner and said unit has Intel chip and motherboard, OR who went out and built our own units with an Intel board and chip?

      In my case, I have two such units. One has an Intel i3-2120 chip (2nd. generation core) and one has an Intel i5-750 chip (first generation core). Both units were bought from two different local mom-and-pop stores who were and still are Intel channel partners.

      So far, from links posted on this site, I’ve learned that the latest microcode update released on January 8th covers BOTH of my chips, according to the lengthy list posted on Intel’s site for downloading the actual update.

      With the foregoing in mind, to quote the late Clara Peller, “Where’s the beef?”… or, in other words, where’s the BIOS revisions needed to properly patch the systems? BTW, both systems are Win 7 Pro x64 boxes.

      This is a great question to post to Intel for proper product support. They’re releasing revised microcode for older chips like mine, so why not build that into a BIOS update for the Intel boards they’re compatible with and likely to be installed into?

      • #159189 Reply

        MrBrian
        AskWoody_MVP

        The microcodes for your two CPUs in the latest microcode file from Intel (mentioned in first post) probably do not include changes for Meltdown/Spectre.

    • #159193 Reply

      MrBrian
      AskWoody_MVP

      From Intel, AMD & VIA CPU Microcode Repositories: “This is a collection of every Intel, AMD and VIA CPU microcode we have found.”

    • #159197 Reply

      MrBrian
      AskWoody_MVP

      From iucode-tool:

      “Updating the processor microcode is a process that can be done at any time (even with the system at full load), and as many times as required.  It is strongly recommended that microcode updates be applied during early system boot, though:

      * Microcode updates should be applied as soon as possible to shorten the time window where the errata fixed by the update could still trigger;

      * Some microcode updates can only be applied safely before the operating system enables more advanced processor functionality, otherwise that functionality must be disabled by the kernel (Atom PSE erratum);

      * Some microcode updates disable (faulty) functionality or make other “visible” changes to the processor, and must be applied before either the kernel or applications start using that functionality (e.g. Haswell Intel TSX erratum).”

    • #160208 Reply

      MrBrian
      AskWoody_MVP
      • #160460 Reply

        rontpxz81
        AskWoody Lounger

        I built my own PC – just a few days ago Gigabyte started to offer a Bios microcode update for my motherboard.

        I’m skeptical due to the rush on Meltdown/Spectre fixes and don’t want to mess up my system.

        Any advice?

    • #161243 Reply

      MrBrian
      AskWoody_MVP

      Intel says STOP installing firmware updates

      1 user thanked author for this post.
      • #161435 Reply

        rontpxz81
        AskWoody Lounger

        Gigabyte started offering a Bios microcode update a few days ago for some of it’s motherboards like mine on my self- built PC.  Since Intel was not specific in it’s release to stop installing updates I will wait.

    • #161742 Reply

      MrBrian
      AskWoody_MVP

      This file is no longer available for download.

      Hat tip: user ViperJohn.

      1 user thanked author for this post.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Intel has released microcode update v20180108 with Meltdown/Spectre fixes

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.