Paul wrote:
...w¡ñ§±¤ñ wrote:
Pat wrote:
Anyone here know how microcode updates work with modern processors?
Over the last few weeks, we have all seen the discussion of the
microcode bug that can be mitigated by OS updates which have the side
effect of slowing the processor.* That, I understand.* However, Ihave
also seen references to microcode updates released by, for example,
Intel for their processors.* How do those get installed?* How can
software running on a processor update the very microcode being used
to run the software?* I must be missing something.

Pat


The general rule for Spectre/Meltdown

*Intel releases the microcode update
*The OEM(pc manufacturer) or mobo manufacturer releases the UEFI/BIOS or
BIOS update accommodating the microcode update
*The system end-user installs/updates the UEFI/BIOS or BIOS

Bottom line - Not all devices will receive or be able to update UEFI/BIOS
or BIOS for all Intel released microcode updates for two simple reasons -
Firmware updates is not an in perpetuity support requirement and OEM or
Mobo manufacturers' are not going to attempt to update all
impacted(Spectre/Meltdown vulnerable) hardware on the planet.

Microsoft, in fact, may not release firmware updates for all of its own
released hardware using Intel, ARM or Atom chipsets(e.g. Surface, XBox,
etc. products)

This will give you some idea what Intel patched recently.

The word Linux should not throw you off here - these updates apply
to any platform. Intel does not pick favorites or anything, neither
does Intel keep multiple streams.

This release note is a "diff", and indicates only CPUs that
have changed since the last release. In other words, these
Branch Target Buffer patches, are all for relatively modern
processors. No gubbins for the P4 for example.

* Intel Processor Microcode Package for Linux 20180108 Release
* -- Updates upon 20171117 release --
* IVT C0*********** (06-3e-04:ed) 428-42a* === my CPU barely made the
list (Launch Date Q3'13)
* SKL-U/Y D0******* (06-4e-03:c0) ba-c2
* BDW-U/Y E/F****** (06-3d-04:c0) 25-28
* HSW-ULT Cx/Dx**** (06-45-01:72) 20-21
* Crystalwell Cx*** (06-46-01:32) 17-18
* BDW-H E/G******** (06-47-01:22) 17-1b
* HSX-EX E0******** (06-3f-04:80) 0f-10
* SKL-H/S R0******* (06-5e-03:36) ba-c2
* HSW Cx/Dx******** (06-3c-03:32) 22-23
* HSX C0*********** (06-3f-02:6f) 3a-3b
* BDX-DE V0/V1***** (06-56-02:10) 0f-14
* BDX-DE V2******** (06-56-03:10) 700000d-7000011
* KBL-U/Y H0******* (06-8e-09:c0) 62-80
* KBL Y0 / CFL D0** (06-8e-0a:c0) 70-80
* KBL-H/S B0******* (06-9e-09:2a) 5e-80
* CFL U0*********** (06-9e-0a:22) 70-80
* CFL B0*********** (06-9e-0b:02) 72-80
* SKX H0*********** (06-55-04:b7) 2000035-200003c
* GLK B0*********** (06-7a-01:01) 1e-22

Microcode can be injected by the BIOS/UEFI
or by the OS microcode loader. Both Windows and Linux
have OS microcode loaders. Normally, Windows silently
pushes out microcode. But, in a departure from that policy,
at the moment, Microsoft is not pushing out 42a for
my processor.

I get "42a" if I boot Linux 16.04 patched up to date.

I get "428" in Win10 16299.192 Meltdown patched
up to date. And that's because Microsoft has not
chosen to do a 42a push yet.

My machine reports "416" if running older software.
That implies that Windows 10 is putting "428" on
my machine, but Microsoft has chosen to not push
"42a" for the machine.

Asus does not have a "42a" BIOS for my computer. I
cannot force the issue that way.

Other people, with X99 or later motherboards,
may get the equivalent of the "42a" mine could
use.

But at the moment, only the Linux OS gave me an
end result of "42a" microcode.

Not that this is "important" or "critical". This
crap will be dribbling out for the next year.

Best advice I can give at the moment.

1) Patch to 16299.192 (or equivalent for older revisions
** of Windows 10. This includes Meltdown coverage.
** As well as a pretty basic form of Spectre coverage
** for IE11 and MSEdge.

2) If you use a third-party browser, patch it too.
** Firefox offers 57.0.4 with timing attack protection
** for Javascript arrays. Presumably Chrome has one
** of those patches too.

This microcode stuff, covers the next level. The microcode
method may make a better blanket protection. But at the
moment, the (2) above is our best protection. The black
hats are still working on (2) exploit. They will eventually
make new exploits, and that's part of what the microcode
thing is for.

On older hardware, there is no BTB refinement. And the
older hardwares are going to rely on a patchwork of
other methods.

My most modern computer, barely has any BTB
(Branch Target Buffer) features at all. All the rest of
my computers, will be patchwork material. Every time
I use a web browser (even Firefox 57.0.4), I will never
know what to expect. It will be up to Mozilla and the
AV products, to mitigate these Spectre attacks as
they arrive.

*** Paul

Hi Paul.
Read the same article or similar as you.
We agree on the best approach at this time
- Update Windows to the latest build level[1]
- Update Browser to current available

Asus Sabertooth Z87, i7-4770 on Win7 Pro and Win10 Pro(same device,
replacable HD, i.e. not dual boot)


[1] Note: With 1709 now CBB/S-AC as of Jan. 12 2018 that effectively means
only 1709 and 1703 are the foreseeable supported versions (i.e. 1607 will
fall out of support)

--
...w¡ñ§±¤ñ
msft mvp windows experience 2007-2016, insider mvp 2016-2018