Confused about Spectre/Meltdown and BIOS/Firmware/Microcode updates

Discussion in 'Intel Processors' started by st4rk, Jan 10, 2018.

  1. st4rk

    st4rk Gawd

    Messages:
    958
    Joined:
    Sep 19, 2003
    At work, machines are either HP or Dell. Easy to go to their website and download the latest BIOS to update the microcode. Install the OS patch, then use the speculation powershell cmdlet to verify protection - all green.

    Now what about ancient CPUs like Q6600? What about custom build machines? Gigabyte probably isn't on the ball like HP/Dell with their BIOS updates. And HP will only update BIOSes back to certain generation machines (makes sense; why update out of support models).

    I'm guessing if you have an older HP machine and HP doesn't update the BIOS for it, then you're SOL? It sounds like just having the KB4056890 installed will not keep you fully mitigated - you need a bios/firmware update too.
     
  2. Shintai

    Shintai [H]ardness Supreme

    Messages:
    5,691
    Joined:
    Jul 1, 2016
    Microcode will later be supplied by Microsoft as well as usual. Just like other OSes.

    Q6600 is very likely out of luck. I think the plan is to supply atleast 5 years back, but perhaps as much as 10.

    In reality dont expect anything before SB and FX to get updates.
     
  3. Link

    Link Gawd

    Messages:
    587
    Joined:
    Jul 28, 2002
    I'm wondering about the same thing. The majority of the PCs being used are old CPU on old Mobo out warranty and support. There's no way the system and mobo manufacturers would issue the bios update for them. Basically, everyone with older cpu and mobo is screwed.
     
  4. st4rk

    st4rk Gawd

    Messages:
    958
    Joined:
    Sep 19, 2003
    If Microsoft is going to release a microcode update themselves, why would the OEMs bother doing BIOS updates?

    Also, the average home user doesn't know what a BIOS is and that it needs to be updated ASAP right now to mitigate Spectre. So basically everyone is still vulnerable even with the OS patch. Unless I'm understand this all wrong and the OS patch is sufficient?
     
  5. Bill1024

    Bill1024 Gawd

    Messages:
    939
    Joined:
    Apr 26, 2013
    No you are right, there has to be a BIOS patch along with the OS patch.
    From what I am hearing there are two exploits to Spectre, and one part can never be patched.
    The good news is that part is very hard to exploit.
    So much information, misinformation and speculation.
    What gets me is, from what I understand, this has been this way for 20 years. We are just finding it out now.
    I am not really worried at this point, they say no one has ever been exploited by any of this. Yet, as far as they know.
     
  6. Bill1024

    Bill1024 Gawd

    Messages:
    939
    Joined:
    Apr 26, 2013
    There is several sites that do BIOS mods, like NVME support for older MB
    Maybe one or some of them will take the Intel microcode and update the BIOS for people with the older hardware.
     
  7. Shintai

    Shintai [H]ardness Supreme

    Messages:
    5,691
    Joined:
    Jul 1, 2016
    Because MS is very slow in that process. It tends to be done 2 times a year only and that´s faster than it used to be.

    It has been a huge problem for ages, on Linux they do it monthly or even faster.

    Hopefully MS will yet again speed this process up.
     
  8. st4rk

    st4rk Gawd

    Messages:
    958
    Joined:
    Sep 19, 2003
    Also more confusion for me. Here's the article on how to check mitigation:
    https://support.microsoft.com/en-us...ive-execution-side-channel-vulnerabilities-in

    Walks you through the PowerShell and whatnot. But at the end it tells you about some regkeys you can add to enable/disable mitigation. But it doesn't say if it's enabled by default (after installing the patch, those regkeys didn't exist).

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

    So why would we have to go back and add regkeys after installing the security patch? Why wouldn't the patch add them after installing? So weird.

    *edit* the PowerShell cmdlet comes back all green whether you have the regkeys or not, which is why I'm confused.
     
  9. st4rk

    st4rk Gawd

    Messages:
    958
    Joined:
    Sep 19, 2003
    Update: I don't think adding the registry keys matters unless you're testing something and need to enable/disable mitigation on the fly. I added the keys and set them to disable, restarted (required to take effect), the PoSH returned red. I deleted the keys, restarted, then the PoSH came back green.

    They need to word the support article better.