Brian Gregory wrote:
On 21/01/2018 21:49, Paul wrote:
Microsoft is *always* shipping Microcode. At the moment,
it's delivering what I would guess to be Nov 2017 or
so microcode. Not Jan 8, 2018 microcode. Linux has
already delivered Jan 8, 2018 microcode. The microcode
file, while called "Linux" on the Intel site, is actually
suitable for *any* OS. Since Intel delivers a copy to
Microsoft directly, no web site delivery is needed. But
for the 500 distros out there, Intel provides microcode
for download, so those people can pick it up.

Then why is everyone saying we need to update our BIOSs?

I pretty sure Steve himself said in the podcast that Microsoft hadn't
updated the microcode in Windows for years.


*Microsoft* is saying, "if you want microcode now"
(if you're providing an AWS server for people to rent),
"you should get a new BIOS from your motherboard company".

People who run Cloud servers, have all installed BIOS
patches. Because that is the "belt and suspenders" answer.
They're doing their upmost and the moment, to avoid trouble.

For home users, the combination of "only 2013 or later processors
are patched", plus the Microsoft "we aren't delivering Jan.8
microcode right now", means that only a few people will
take the BIOS route. If you're running a server and renting
computer time to people, you should use a BIOS. Your machines
aren't going to be any more than three years old anyway.

But for the rest of us, from a percentage perspective,
only a very few will be able to follow the BIOS advice.
Even though I got Linux microcode when booting a
sample Linux install, my motherboard maker will not
be providing a new BIOS, so I cannot protect myself
when running Windows 10. At the moment...

My best Spectre patch-ment at the moment, is to be
running Firefox 57.0.4 or later. Make sure your
browsers are patched. Maybe 85% of computers, that's
what we'll be doing to protect them. Patching
at the application level, as best as possible.

If your motherboard company has a new BIOS for you,
your CPU is not Broadwell or Haswell, then perhaps
a BIOS upgrade is possible. At the very least,
your motherboard should have a "forgiving" BIOS
upgrade process. Mine accepts a USB stick, and
the chip on my motherboard, can change the BIOS
even when no CPU is in the socket. Now, that's
an ideal form of non-brickable BIOS feature.
Too bad there's no new BIOS file for me to use :-(
As I have the hardware to do this risk free.

Other systems, there is more risk. A Gigabyte
dual BIOS user might be able to risk it,
as an example of another kind of protection
that can afford brickage under a few conditions.

On regular unadorned BIOS setups, if the microcode
somehow prevents the BIOS from running, you
can't inject the old BIOS any more. You need
a table-top flasher to fix that. While brickage
is not likely to happen, I feel it only
fair to describe what could happen. Foe example,
I could spill a cold beverage in the computer
while half-way through the flash, flip off
the power in the ensuing panic, and because
the BIOS flash is half completed, the computer
will never boot again.

At the very least, use a UPS if flashing the BIOS!!!
A laptop has a natural UPS, in the form of the
battery pack. If you flash a laptop, that's
your "power backup". A desktop has no protection,
unless you provide it externally (UPS).

Paul