Mind boggled: The Meltdown/Spectre microcode patches

Topic

New Reply

I just read a tweetstorm from @Karl_F1_Fan to @Crysta that has my head swimming. Here’s what he says: Hi Crysta, Your quotes to Microsoft articles are
[See the full post at: Mind boggled: The Meltdown/Spectre microcode patches]

4 users thanked author for this post.

Elly, PhotM, AlexEiffel, GreatAndPowerfulTech

Reply | Quote

Replies

The inconsistency of Microsoft’s actions is amazing. Concerning OEM’s, at least Dell is proving to provide proper customer support with BIOS updates that address the issues properly. I had been telling our customers that all the big OEM computers were made in the same factories without much quality difference between them other than engineering style. The real difference now appears not to be in how they’re made, but in how their taken care of after the fact. In this case Dell stands above all the others.

GreatAndPowerfulTech

3 users thanked author for this post.

Elly, alpha128, columbia2011

Reply | Quote

GreatAndPowerfulTech wrote:

The inconsistency of Microsoft’s actions is amazing. Concerning OEM’s, at least Dell is proving to provide proper customer support with BIOS updates that address the issues properly. I had been telling our customers that all the big OEM computers were made in the same factories without much quality difference between them other than engineering style. The real difference now appears not to be in how they’re made, but in how their taken care of after the fact. In this case Dell stands above all the others.

Yes, this situation makes me glad that my (business class) home system is a Dell.  In fact, I just applied the second BIOS update to my system.  I wait a couple of months for any bugs to get worked out.  So I applied the February update in April, and the June 21st update yesterday.  The updates are easy to apply and I have noticed no problems afterwards.

Reply | Quote

I guess among other reasons the danger of being becoming a hollowed out generic brand is why Mr. Dell took his company back in private hands away from Wall Street.

Reply | Quote

but I still have NOT gotten any new microcode BIOS/firmware updates from Dell for my family’s Dell Inspiron computer (using Intel Sandy Bridge CPUs) – perhaps it may be too old for them to update it

Reply | Quote

This is the full list of Dell systems which have received previous or will receive future BIOS updates related to Spectre/Meltdown:

https://www.dell.com/support/article/us/en/19/sln308587/microprocessor-side-channel-vulnerabilities-cve-2017-5715-cve-2017-5753-cve-2017-5754-impact-on-dell-products

So, if the Inspiron system you have is not listed as “In Process”, then it has reached EOL and will never receive an update.

Reply | Quote

HP is not updating their site accordingly so the theme sites indicate updates are missing or pending, while being partially available on the product site.

This is absolutely correct statement.

 

 

Reply | Quote

Here’s the most recent Intel Microcode Revision Guidance PDF (Apr. 2). https://newsroom.intel.com/wp-content/uploads/sites/11/2018/04/microcode-update-guidance.pdf

There are NO mentions of “Amber”, “Cascade” or “Whiskey” Lakes on the PDF. Has Anandtech taken their DeLorean time machine 5 months into the future & these are Meltdown/Spectre fixes for Win10 1809?! Anandtech claims “Amber” & “Whiskey” are based on Kaby Lake, so do the Kaby Lake fixes cover them, or are these NEW CPUID’s? “Cascade” might be based on Coffee Lake. If anyone knows if there’s a more recent PDF from Intel than Apr. 2, please add it to this thread.

UPDATE: I followed @Karl_F1_Fan’s tweetstorm to @PhantomofMobile (AKA PhotM on the Lounge) & found a more current PDF dated Aug. 8!

https://www.intel.com/content/dam/www/public/us/en/documents/sa00115-microcode-update-guidance.pdf

My Ivy Bridge processor on my ASUS X55A laptop has a “New Production MCU Rev” of 0x20 & my 0x1F is now “Pre-Mitigation Production MCU”. Still not sure how to obtain the microcode.

Also, the current PDF STILL doesn’t list the mystery Lakes… “Amber”, “Cascade” & “Whiskey”. Maybe Anandtech’s been drinking too much whiskey lately? Or is the DeLorean now powered by Mike’s Harder Lemonade?!

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

1 user thanked author for this post.

OscarCP

Reply | Quote

Wild Bill #214087  ,

Thanks! According to the table in the PDF, my “Sandy Bridge” CPU has an UEFI update, finally. (I’ve checked and found that “sandy Bridge” chips, from earliest 2010 ones (like mine), were the first Intel ones with UEFI instead of BIOS.)

Not that I am about to mess around with my UEFI but… nice to know, anyhow.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Could these be the new CPUs the ex-CEO was saying would have the fixes (baked-in updated microcode) for Spectre & Meltdown?

Reply | Quote

Amber, Whiskey and the other one are supposed to be Kaby lake chips featuring lower wattage with Gigabit Wi-Fi and better video subsystem. I guess we will find out about whether these include baked-in fixes for spectre, etc.

Reply | Quote

Cited in the original post:

Without Win10 we would have no protection at all…

Only in Microsoft-land is that true, and that’s because Microsoft has elected not to provide these microcode updates for two-thirds of the Windows versions for which they are responsible for providing security updates.

Personally, I don’t want this update in firmware.  Anything that slows down my system (even a little) to fix a problem that thus far does not exist in the wild isn’t one that I want made permanent.  It’s perfectly fine to get it as an OS update– if your OS provider is willing to provide one.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

5 users thanked author for this post.

Mele20, Elly, Sessh, Bill C., WildBill

Reply | Quote

Apropos of this, see the following report: http://www.eweek.com/security/linux-kernel-developer-criticizes-intel-for-meltdown-spectre-response

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

2 users thanked author for this post.

Elly, WildBill

Reply | Quote

Thanks. As Ascaris recently said, & as Woody has been saying from the beginning:

Anything that slows down my system (even a little) to fix a problem that thus far does not exist in the wild isn’t one that I want made permanent.

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

3 users thanked author for this post.

Kirsty, abbodi86, Cybertooth

Reply | Quote

Hi all,

In another post, I mentioned that I have been testing Intel’s latest Ghost microcodes on my production Win7 x64 machine. I was doing so for the past five days by using the VMware utility which allowed me to use Intel’s latest August uCode for my I5 Haswell CPU. The VMware Fling allowed me to do this, instead of having to create and flash a custom modded BIOS flash file for my out of warranty MSI motherboard’s BIOS in order to implement Intel’s latest August Ghost microcode.

I both coin and in the future will refer to all Intel Meltdown and Spectre mitigating CPU microcode as “Ghost” microcode, since if you read about all of these vulnerabilities which are related to the flawed CPU speculative execution and about how POC code works, you will realize that my Ghost acronym is quite appropriate. Moreover, “Ghost” also indicates all Intel CPU microcode which Intel released after December 2017 in order to mitigate Meltdown and Spectre, and all related CPU flaws.

After five days of stable testing, I finally got fed up with the extremely poor performance of the August Intel Ghostbusting microcode when running older non-multithreading capable programs on my Win7 test computer. You all have no idea how bad the slowdown becomes when running such older programs. It is bad — really bad on older CPUs. Serialized I/O, such as when running backups, is quite good when using the Ghost microcode. Yet random I/O, depending on file sizes, can take a very strong hit in terms of performance on older CPUs. And of course, I already mentioned the issue of older programs.

Nobody should go down the road of creating a custom modded BIOS file for flashing which includes Intel’s latest Ghostbusting microcode. Just don’t do it at the present time, regardless of whatever online programs which you have found to do this. Why? There are many reasons which I will not delve into at the present time. Yet the most important reasons are twofold. First, Microsoft is on track to do the same thing, at OS boot, in Win7 and in Win8x. Second, if I can can get any AV vendor to listen to me (so far, unsuccessful), I have a way to detect any Meltdown/Spectre and related exploit attempts. Any of you all work for an AV company?

I warn against (at least at the present time) installing any BIOS updates from motherboard OEMs or computer OEMs. Why? First is that you might not be able to revert to a pre-Ghost BIOS. Second is that Microsoft is working on doing the same thing by loading Intel’s Ghostbusting CPU microcode during OS boot-up. Presently Microsoft is only doing this in Windows 10, yet Microsoft will soon do so for both Win7 and Win8x. Third is that the same thing can be accomplished for Win7 and Win8x users via the VMware Fling, using the microcode.dat files which I have created and which do not include any microcodes with caveats which presently are causing severe issues for Win10 users with certain CPUs. The upshot is that everyone should “hold tight” at the present time.

Okay, so how about those who DO want to mitigate the Ghosts without having to flash their motherboard’s BIOS?

The VMware Fling works great for testing and/or implementation purposes on Win7 and Win8x for Meltdown and Spectre mitigation. Do NOT use the VMware Fling on Win10. Please do not try the VMware Fling in Win7 or Win8x. Instead, soon I will post a Dropbox for the VMware Fling which includes instructions and microcode.dat files for both December 2017 and August 2018, and which do not include any “caveat” CPU microcode which is presently causing severe issues. The December 2017 microcode.dat file will allow everyone to perform performance tests of their systems, especially if they have held off on updating at December 2017. The August 2018 microcode.dat file will then allow everyone to then perform performance tests while running Intel’s latest August Ghostbusting microcode on their CPU. Hopefully you all get the idea. The upshot is to allow you all Win7 and Win8x users to not only implement either Intel’s Ghostbusting CPU microcode or Intel’s December 2017 non-Ghostbusting CPU microcode, but also to allow you to perform comparison tests in terms of overall performance of your computer when using either of these microcodes, and to also avoid having to actually flash your motherboard’s BIOS with Intel’s latest Ghostbusting CPU microcode. Note that once you flash your BIOS with a newer BIOS version, it may be either extremely difficult or impossible to flash back to a previous BIOS version. Yet note that there usually are ways to accomplish the latter (flashing an older BIOS file, using methods which I can not disclose online.

I should have a Dropbox of the VMware Fling along with instructions and other info, available via Dropbox sometime this weekend for all of you Win7 and Win8x users to try. Note that if you encounter any issues on bootup, all that you have to do is to use either your install DVD or a recovery DVD to boot to DOS, and then to delete “microcode.dat” in your Windows\System32 folder.

Best regards,

–GTP

3 users thanked author for this post.

jburk07, Bill C., Cybertooth

Reply | Quote

Time to create you own product, if you can reliably detect exploit attempts.

Reply | Quote

FWIW, ASRock has offered BIOS updates this year with updated microcode. My 2014 H97 chipset MoBo had a bios update in March’18 for Haswell CPU’s, updating m/c from 0x19 to 0x24.  As of Aug’18 Intel’s latest Haswell Desktop m/c is 0x25.

So, Dell isn’t the only one serving their user base…

 

Reply | Quote

I can only be happy that [at least] Dell was able to provide due updates and all..

But in my experience (with AGESA instead of microcode, but still) on the Bobcat architecture, of all the OEM bioses I looked into, only Asus got to release an updated one.

…On the other hand, I can sure testify how my newer Skylake laptop of theirs still hasn’t got a new firmware since 2015.

Considering nowadays there aren’t particular reasons to prefer a brand over another, is there any list/tracker/something for this important kind of information?

Reply | Quote

For a good measure, they are also suggesting FeatureSettingsOverride 0 in the L1TF advisory (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180018) – which disables any mitigations whatsoever.

Top quality documentation, well done @Redmond. #facepalm

Reply | Quote

Those settings are correct and don’t disable anything.

Reply | Quote

Uh, no… The correct settings are FeatureSettingsOverride 8 and FeatureSettingsOverrideMask 3

Reply | Quote

Instead of running in circles, one should simply run the latest SpeculationControl PowerShell script from Microsoft and check the state of the mitigations. On a machine (latest BIOS/Windows 1803 updates installed) that does not even have any of the registry settings mentioned, the following results are returned:

For more information about the output below, please refer to https://support.microsoft.com/en-in/help/4074629

Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for PCID performance optimization is enabled: True [not required for security]

Speculation control settings for CVE-2018-3639 [speculative store bypass]

Hardware is vulnerable to speculative store bypass: True
Hardware support for speculative store bypass disable is present: True
Windows OS support for speculative store bypass disable is present: True
Windows OS support for speculative store bypass disable is enabled system-wide: False

Speculation control settings for CVE-2018-3620 [L1 terminal fault]

Hardware is vulnerable to L1 terminal fault: True
Windows OS support for L1 terminal fault mitigation is present: True
Windows OS support for L1 terminal fault mitigation is enabled: True

BTIHardwarePresent                  : True
BTIWindowsSupportPresent            : True
BTIWindowsSupportEnabled            : True
BTIDisabledBySystemPolicy           : False
BTIDisabledByNoHardwareSupport      : False
KVAShadowRequired                   : True
KVAShadowWindowsSupportPresent      : True
KVAShadowWindowsSupportEnabled      : True
KVAShadowPcidEnabled                : True
SSBDWindowsSupportPresent           : True
SSBDHardwareVulnerable              : True
SSBDHardwarePresent                 : True
SSBDWindowsSupportEnabledSystemWide : False
L1TFHardwareVulnerable              : True
L1TFWindowsSupportPresent           : True
L1TFWindowsSupportEnabled           : True
L1TFInvalidPteBit                   : 45
L1DFlushSupported                   : True

Apparently, if the latest BIOS/Windows 10 updates are installed, no registry setting is required to have all mitigations enabled.

3 users thanked author for this post.

AlexEiffel, columbia2011

Reply | Quote

The latest SpeculationControl script is available at https://aka.ms/SpeculationControlPS (link taken from https://support.microsoft.com/en-us/help/4073119/).

Reply | Quote

Personally, I don’t want this update in firmware. Anything that slows down my system (even a little) to fix a problem that thus far does not exist in the wild isn’t one that I want made permanent. It’s perfectly fine to get it as an OS update– if your OS provider is willing to provide one.

I agree completely.  I can’t understand the praise for Dell in this thread.  I have a Dell Windows 10 Pro (Business) computer that is less than one year old. I don’t want the firmware updates for this issue.  What no one is mentioning is that every one of these updates has cause bricking of systems!  Not all systems…but I don’t want the risk nor do I want the slow down.  I spent a lot of money on this computer and I bought to be fast.

I probably can’t ignore these firmware updates indefinitely though as I also bought 4 years of Enterprise hardware and software extended warranty support.  If I have to call Dell about anything…a dead data drive (which is almost inevitable) for instance, I won’t get hardware extended warranty support or any support unless I am fully up to date and that includes bios updates.

Reply | Quote

To keep it simple, what should those registry values be to disable all of these? 3/3 still valid or that changed? Because I have been noticing some operations being slower for some time now, despite those values being set.

— Cavalary

Reply | Quote

As I understand it, it isn’t simple, and what the registry values should be depends on the hardware setting it is being used in. There doesn’t appear to be just one correct setting that suits all (but I could be wrong!).

the recent switch is 8 / 3 for anything and any CPU since 0 / 3 is outdated and Intel specific. That’s what I am talking about MS is giving wrong advice for L1TF on their pages. you cannot set 0 / 3 and 8 / 3 the same time as it is the same reg key.

Reply | Quote

Hi everyone,

I have been testing the VMware Fling which can load the latest August 2018 CPU Meltdown and Spectre microcode into your CPU when booting Windows 7 or Windows 8x. I tested using lower load orders during OS bootup.

The Fling’s default start type is StartType=0x2 ; SERVICE_AUTO_START. I tested StartType=0x1 ; SERVICE_SYSTEM_START which works fine in Windows 7. Note that StartType=0x0 ; SERVICE_BOOT_START does NOT work since a full file system driver is not available when loading SERVICE_BOOT_START drivers, resulting in a “file not found” error.

The point is that using StartType=0x1 ; SERVICE_SYSTEM_START should have worked, such that Microsoft’s SpeculationControl.psd1 PowerShell script should have “seen” that your CPU was running Intel’s latest August 2018 Meltdown and Spectre mitigating microcode, and that Windows 7 or Windows 8x should have then implemented additional software based OS mitigations on boot. Yet this does NOT work for either GRC’s InSpectre utility or for Microsoft’s PowerShell script since both don’t check to see what microcode is actually running in your CPU cores, and instead only check what microcode is present in your computer’s BIOS. And this does not work for Windows itself, since the August updates do not check what microcode revision is actually running in the CPU cores. Instead, and even with the August updates installed, Windows presently ignores whatever CPU microcode is actually loaded and running in your CPU cores, and instead applies settings based upon whatever older CPU microcode which Windows finds in your BIOS. Ain’t that a peach of a situation?

The upshot is that Microsoft has some things to fix in Windows 7 and Windows 8x, especially since Microsoft’s own microcode patching in Windows 7 (dated 2009) loads as StartType=0x2 ; SERVICE_AUTO_START.

In summary . . .

I will post the VMware Fling which includes the latest and correct Intel August 2018 microcode files, along with Intel’s latest December 2017 microcode files which do not include any Meltdown and Spectre mitigations. The point of doing so is to allow Win7 and Win8x users to test the performance impacts of Intel’s August 2018 uCode versus Intel’s December 2017 uCode.

Best regards,

–GTP

 

1 user thanked author for this post.

Elly

Reply | Quote