Brian Gregory wrote:
On 21/01/2018 23:54, Brian Gregory wrote:
On 21/01/2018 21:49, Paul wrote:
Microsoft is *always* shipping Microcode. At the moment,
it's delivering what I would guess to be Nov 2017 or
so microcode. Not Jan 8, 2018 microcode. Linux has
already delivered Jan 8, 2018 microcode. The microcode
file, while called "Linux" on the Intel site, is actually
suitable for *any* OS. Since Intel delivers a copy to
Microsoft directly, no web site delivery is needed. But
for the 500 distros out there, Intel provides microcode
for download, so those people can pick it up.

Then why is everyone saying we need to update our BIOSs?

I pretty sure Steve himself said in the podcast that Microsoft hadn't
updated the microcode in Windows for years.


Sorry, forgot which newsgroup I was in, I mean Steve Gibson of GRC.COM.


That's not true.

As one of my test cases, I booted a Linux LiveCD, one
a couple years old, and the microcode level was 16.

The Windows 10 16299.192 microcode level is 28.

The very latest Linux one available, is 2a.

Microsoft *is* providing OS level microcode, just
not using the January 8, 2018 version quite yet.

Neither is Linux, on all distros. Only the most
modern got it so far. Linux in the distro package
manager, provides a separate line item for
"microcode.dat", and presumably selecting that
does whatever magic is needed to make an initrd
or similar. You would look in your package manager,
to see if perhaps the microcode had been recently
updated. In the Ubuntu test VM, I could indeed see
the word "microcode" in a list of 500MB worth
of patches. It was an item in there. I saw it fly by.

And in Linux, I have a couple ways to check. Via
dmesg | grep microcode, or via looking at
cat /proc/cpuinfo or similar. Since I know some of
the available revision numbers for my CPU, I'm able
to tell whether a January patch was installed or not.

If I had a P4, there'd be nothing to see, and the
same old crusty microcode version would be present
for all of the above test cases. Even a BIOS flash
wouldn't help, because Intel has no specific help
for a P4. And there are lots and lots of computers
out there which are more than four years old.

Even if you "had all mitigations", at this point
I wouldn't be too smug about it. This story
isn't finished.

*******

"Update your BIOS" is good if you're the owner
of AWS or Google Cloud or the like. Any place you
have no control over the computing that goes on,
the "attack surface" is huge. You want hardware
protection (if you can get it). Cloud providers have
been installing BIOS, even if it costs 20% performance
on some I/O intensive workloads.

The situation for at least some home users is a bit
more benign. The main threat surface is their browser,
and their browser has received a patch. That's a
start.

And the "need" to get a BIOS, will be relieved,
once Microsoft un-gates the Jan.8 microcode into
the wild. Linux has already done those, for at least
one distro. I feel Microsoft will eventually do it too,
and once it does, you won't have to run off and
flash the BIOS.

The OS microcode loader does work. In my tests,
an old Linux was 16. In Windows 10 16299.192,
the version was 28 on my machine. That means
probably a microcode from Fall 2017 or so. And
eventually, when Microsoft "un-gates" the Jan.8
microcode, my machine will leap to 2a hex.

On an older machine, the P4 running Windows 7,
*nothing* is going to make it leap. You install
Firefox 57.0.4 (i.e. do your browser patching),
and that's basically the only option available.
There will never be a BIOS. When the Jan.8 microcode
is released, your P4 will have the "same old
revision number" it always had.

Paul