# Intel Microcode Boot Loader



## Regeneration (Oct 24, 2018)

In early 2018, security researchers discovered several security vulnerabilities affecting all processors: Meltdown and Spectre. These vulnerabilities allow speculative execution side-channel attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754). While Meltdown was resolved with an OS patch, Spectre required a microcode update.

Since the microcode is stored and automatically loaded by the BIOS/UEFI, motherboard manufacturers required to issue an update. However, manufacturers normally release firmware updates only for their newest products. Plenty of motherboards still remain vulnerable until this very day.

Intel Microcode Boot Loader is a workaround by ngohq.com for the microcode problem on Intel-based motherboards. It updates the microcode every time the system is booted. Based on Intel BIOS Implementation Test Suite (BITS), users no longer need to modify BIOS/UEFI ROMs to stay protected from security vulnerabilities, bugs and erratas.

This solution requires permanently plugged USB flash drive with at least 25MB (or similar device) and BIOS/UEFI supporting boot from USB devices. Alternatively, advanced users can install it to a local drive on top of the System Reserved partition (see localdrive.txt for instructions).

*Instructions:*
1. Format a USB flash drive with FAT32 filesystem.
2. Extract the archive to the USB flash drive and run install.exe to make it bootable.
3. Enter the BIOS/UEFI, assign the USB flash drive as the 1st boot device and enable legacy boot mode.
4. The boot loader will regularly update the microcode and load the OS.

*Notes:*
* This release includes the latest ucodes for 404 Intel CPUs produced from 1996 to 2019.
* The ucodes are stored in the \boot\mcudb folder if you wish to update in the future.
* If you get 'Ucode not found' warning during installation, or plan to deploy on another PC, look for the correct ucode (by CPUID) in \boot\mcudb and copy it to \boot\mcu.

*Changes (v0.5.4):*
* Updated microcode database.

*Downloads:*
Intel Microcode Boot Loader | Mirror #1 | Mirror #2


----------



## qubit (Oct 24, 2018)

Wicked. I've got a 2700K on a now unsupported Asus UEFI mobo so this will come in handy.


----------



## Regeneration (Oct 24, 2018)

Release updated. Should boot to OS a lot faster now.


----------



## R-T-B (Oct 24, 2018)

Good idea for the few boards that require a different solution / don't have an updated bios (Intel comes to mind).  

I assume this could be adapted to load itself into the windows bootloader, actually, as I see it's using a full UEFI boot stack and Windows 10 at least makes a seperate boot partition.  Is there any reason you aren't taking that approach as an alternative release?


----------



## agent_x007 (Oct 24, 2018)

Does this tool require permament pendrive, because it loads code from it on every boot ?
Can it be exchanged for small FAT16/FAT32 partition, on IDE/MBR configured UEFI/BIOS ?


----------



## Regeneration (Oct 24, 2018)

R-T-B said:


> I assume this could be adapted to load itself into the windows bootloader, actually, as I see it's using a full UEFI boot stack and Windows 10 at least makes a seperate boot partition.  Is there any reason you aren't taking that approach as an alternative release?





agent_x007 said:


> Does this tool require permament pendrive, because it loads code from it on every boot ?
> Can it be exchanged for small FAT16/FAT32 partition, on IDE/MBR configured UEFI/BIOS ?



Yes. It requires permanent pendrive. It can be exchanged for small FAT boot partition, but that's requires too time to setup.

Altering the boot partition can a make mess in the drive numbering order and render the system unbootable. Especially with Microsoft pushing major updates every few months.

USB flash drives are extremely cheap now, boot time remains almost the same, and you don't have to worry about Windows overwriting the boot loader.


----------



## FireFox (Oct 24, 2018)

agent_x007 said:


> Does this tool require permament pendrive, because it loads code from it on every boot ?





Regeneration said:


> this solution requires a permanently plugged USB flash drive with at least 25MB and BIOS/UEFI supporting boot from USB devices.


----------



## agent_x007 (Oct 24, 2018)

@Regeneration I meant it in case when PC has two drives : A hard drive without OS (no bootable parttions), and an SSD with OS. Can a bootable partition on HDD, be used to serve as replacement for USB Flash drive.

@Knoxx29 "They" said Clover EFI software "required pendrive" to work as well.
Guess what can you do with BDU


----------



## Regeneration (Oct 24, 2018)

agent_x007 said:


> @Regeneration I meant it in case when PC has two drives : A hard drive without OS (no bootable parttions), and an SSD with OS. Can a bootable partition on HDD, be used to serve as replacement for USB Flash drive.



Yes, but it must be on FAT32 partition.


----------



## agent_x007 (Oct 24, 2018)

Regeneration said:


> Yes, but it must be on FAT32 partition.


Awesome !
Since this method basicly bypasses a USB boot limitation, can Pentium Pro supports it using CompactFlash card and IDE adapter (I'm asking, because you mentioned this pack supports latest ucodes for CPUs from 1996) ?


----------



## Regeneration (Oct 24, 2018)

agent_x007 said:


> Awesome !
> Since this method basicly bypasses a USB boot limitation, can Pentium Pro supports it using CompactFlash card and IDE adapter ?



Yes. There's another workaround to boot USBs on unsupported BIOSes: Plop Boot Manager.

Pentium Pro from which year? CPUID 061x? there are 392 ucodes packed in this release. CPUs from 1996 to 2018.


----------



## agent_x007 (Oct 24, 2018)

Yes. I'm interested in later releases, specifically CPUID : 0617/0619.
FYI : I'm gathering info for now, I don't own a PPro... yet.


----------



## Regeneration (Oct 24, 2018)

In the \boot\mcudb folder, you'll find all ucodes by cpuid and version. If you plan on preparing the device for another PC, make sure to manually copy the ucode to \boot\mcu.


----------



## johnspack (Oct 24, 2018)

Any chance this can work with linux?  Or is it simply not needed?


----------



## Regeneration (Oct 24, 2018)

johnspack said:


> Any chance this can work with linux?  Or is it simply not needed?



Linux has microcode loader builtin, but this should work with any OS.


----------



## king of swag187 (Oct 24, 2018)

So in theory, if you had a Z170/Z270 board with a CFL CPU, with this loaded on a small thumb drive, no modded BIOS would be needed?\
Same with Q65-Q67 and Z68?


----------



## Regeneration (Oct 24, 2018)

king of swag187 said:


> So in theory, if you had a Z170/Z270 board with a CFL CPU, with this loaded on a small thumb drive, no modded BIOS would be needed?\
> Same with Q65-Q67 and Z68?



You must reach to the boot process to load the microcode. It means, the system must POST.

And by the way, thanks to @W1zzard for letting me share my creations with the TPU community.

Other tech sites ban me for some reason  and its not like i'm posting shareware, adware, or malware. It's complete freeware and portable.

Just useful stuff that I work on to waste time. If I spend time on something, why not share it?


----------



## R-T-B (Oct 24, 2018)

Regeneration said:


> Other tech sites ban me for some reason



Wow.  Pretty lame of them.  Guess they can't be bothered to take 10 seconds to test something for malware / google who you are?


----------



## Regeneration (Oct 25, 2018)

Added a video to the 1st post to show off.

On 0:06, you can see the microcode gets updated.


----------



## GalaxyMaster_P (Oct 25, 2018)

I'm trying to make this work on a second ESP partition on my secondary drive, but I'm running into a problem. I've copied the contents of the archive to the partition, ran the install .exe successfully and marked the partition as bootable. I had to manually add an EFI boot entry because it wasn't detected automatically, but it seems to boot fine. The problem occurs when grub tries to load the microcode. For only a few frames 2 errors show on screen, after which I get a grub command line. The errors are:


```
error: can't find command `mcu_load`.
error: can't find command `drivemap`.
```

I had to record a slow-motion video in order to even read the errors. I don't think I installed wrongly, and I've tried again multiple times from scratch. Do you have any idea what the problem could be?


----------



## Regeneration (Oct 25, 2018)

GalaxyMaster_P said:


> I'm trying to make this work on a second ESP partition on my secondary drive, but I'm running into a problem. I've copied the contents of the archive to the partition, ran the install .exe successfully and marked the partition as bootable. I had to manually add an EFI boot entry because it wasn't detected automatically, but it seems to boot fine. The problem occurs when grub tries to load the microcode. For only a few frames 2 errors show on screen, after which I get a grub command line. The errors are:
> 
> 
> ```
> ...



GRUB fails to recognize the location of the modules. Are you using FAT partition?

Try to adjust grub.cfg (set the correct root drive) according to the GRUB2 manual.

That's why I suggested using $5 USB flash drive, GRUB can be difficult to configure.


----------



## GalaxyMaster_P (Oct 25, 2018)

Regeneration said:


> GRUB fails to recognize the location of the modules. Are you using FAT partition?
> 
> Try to adjust grub.cfg (set the correct root drive) according to the GRUB2 manual.
> 
> That's why I suggested using $5 USB flash drive, GRUB can be difficult to configure.


The partition is definitely formatted FAT32. I don't think editing the grub.cfg will help, since the mcu_load command happens before the root drive is set. Regardless I went and checked the available drives in the grub terminal, they were hd1 and hd2. I changed the grub.cfg to all possible combinations of those and none of them worked. I'm trying a USB flash drive now, will report back if it works or not.


----------



## Regeneration (Oct 25, 2018)

GalaxyMaster_P said:


> The partition is definitely formatted FAT32. I don't think editing the grub.cfg will help, since the mcu_load command happens before the root drive is set. Regardless I went and checked the available drives in the grub terminal, they were hd1 and hd2. I changed the grub.cfg to all possible combinations of those and none of them worked. I'm trying a USB flash drive now, will report back if it works or not.



First try booting without EFI, in legacy mode.


----------



## GalaxyMaster_P (Oct 25, 2018)

The USB flash drive did not work either, but that may be because of my stupid motherboard or user error. I created the drive according to the instructions in the OP, and once again my motherboard did not recognize it as a boot option. I manually created a boot entry once again and this time it simply refuses to boot from the USB at all. No error messages, nothing. Just reverts back to the second boot option. This suggests to me that it can't find the .efi file for some reason (I did double check the path I put in the boot entry).


Regeneration said:


> First try booting without EFI, in legacy mode.


I don't know how I would do that to be honest. If I select either the secondary drive or the USB flash drive to boot from in the bios (instead of the manually created EFI entries) it simply tells me there's no operating system detected.


----------



## Peter Lindgren (Oct 25, 2018)

Why not use UBU Tool to modify your BIOS. No need for boot from USB?

https://www.win-raid.com/t154f16-Tool-Guide-News-quot-UEFI-BIOS-Updater-quot-UBU.html


----------



## Regeneration (Oct 25, 2018)

GalaxyMaster_P said:


> I don't know how I would do that to be honest. If I select either the secondary drive or the USB flash drive to boot from in the bios (instead of the manually created EFI entries) it simply tells me there's no operating system detected.



I've made a small adjustment to the package. Redownload.

Some motherboards refuse to boot to non-Microsoft EFI. Before you attempt to install the bootloader to the HDD, make sure its working on USB.

Look for CSM option in the BIOS.


----------



## GalaxyMaster_P (Oct 25, 2018)

Regeneration said:


> I've made a small adjustment to the package. Redownload.
> 
> Some motherboards refuse to boot to non-Microsoft EFI. Before you attempt to install the bootloader to the HDD, make sure its working on USB.
> 
> Look for CSM option in the BIOS.


I've redownloaded and reinstalled it onto the USB, same result as earlier (no efi boot option detected in bios, manual entry doesn't boot, legacy boot says missing operating system). CSM is enabled in the bios. I'll try with the HDD anyway now, will report back.



Regeneration said:


> I've made a small adjustment to the package. Redownload.
> 
> Some motherboards refuse to boot to non-Microsoft EFI. Before you attempt to install the bootloader to the HDD, make sure its working on USB.
> 
> Look for CSM option in the BIOS.


I just tried it on the HDD, again same result as before. I can also confirm that my motherboard absolutely can boot non-Microsoft efi, because I'm currently using grub to dual-boot between windows 10 and manjaro linux.


----------



## agent_x007 (Oct 25, 2018)

Are you trying to EFI boot Windows from MBR drive ?
Because that needs a Windows EFI boot files to work a and valid Windows installation (ie. booting directly works)./
Try to disable CMS, or set (U)EFI booting as prefered.


----------



## GalaxyMaster_P (Oct 25, 2018)

agent_x007 said:


> Are you trying to EFI boot Windows from MBR drive ?
> Because that needs a Windows EFI boot files to work a and valid Windows installation (ie. booting directly works)./
> Try to disable CMS, or set (U)EFI booting as prefered.


AFAIK all my drives are GPT, I'm not sure about the flash drive I used (I think it was GPT as well, because I remember making it that a long time ago).



Peter Lindgren said:


> Why not use UBU Tool to modify your BIOS. No need for boot from USB?
> 
> https://www.win-raid.com/t154f16-Tool-Guide-News-quot-UEFI-BIOS-Updater-quot-UBU.html


Thank you for this. I've updated my bios with the latest microcode and everything is running fine. No more need for the microcode boot loader for me I suppose.


----------



## Regeneration (Oct 25, 2018)

Glad to hear you got it sorted. BIOS modding is preferred and permanent but not always possible.


----------



## noway (Nov 14, 2018)

1. Having trouble with Instruction #2, with this error message.  Is there a trick to this?

Installing Intel Microcode Boot Loader to G:\

Make sure G: is the right drive before proceeding.

Press CTRL+C or close this window to abort.

Press any key to continue . . .
The system cannot find the path specified.

Installation failed.

Please ensure the device isn't write-protected and try again.

Press any key to continue . . .




2. List of the 392 CPUs this works for?  I was thinking of upgrading my socket 775 CPU to Q9650 or QX9650 and would like to know if this works before I do.  Thanks.


----------



## Regeneration (Nov 14, 2018)

noway said:


> 1. Having trouble with Instruction #2, with this error message.  Is there a trick to this?
> 
> 2. List of the 392 CPUs this works for?  I was thinking of upgrading my socket 775 CPU to Q9650 or QX9650 and would like to know if this works before I do.  Thanks.



The error indicates the utility cannot detect supported CPU.

Are you running it from a PC with Intel CPU? If so, try using the latest version from this link. It should list the CPUID of the CPU installed in the system.

Q9650 and QX9650 are supported, on Core 2 series (and older), the system will remain vulnerable to Spectre, but it will address other vulnerabilities and bugs.


----------



## Meti (Nov 15, 2018)

I have a laptop with i5-450M (Arrandale). I got this at boot (wrong PlatformID):


----------



## noway (Nov 15, 2018)

Regeneration said:


> The error indicates the utility cannot detect supported CPU.



OK thanks.  My current desktop CPU is very rare.  An Intel E8700, which was never commercially released.  

I also tried the utility on my laptop and got the same error message, which is a T4300 and pretty old too.  

I still may upgrade the E8700 to a Q9650 or QX9650.  Thanks for checking their compatibility.


----------



## Regeneration (Nov 15, 2018)

1. Try to use the microcode from this link, extract all files from \intel-ucode to \boot\mcu.

2. Try to copy all files from \boot\mcudb to \boot\mcu.


----------



## AJNexus (Nov 15, 2018)

I did the whole thing that is supposed to be done but when I try to check with InSpectre, it still says that Im not protected against Spectre. I have an OptiPlex 780 DT  with an Xeon X3370 and I also added the extra microcode for this particular CPU. Any idea why InSpectre shows no Spectre protection?


----------



## Regeneration (Nov 17, 2018)

AJNexus said:


> I did the whole thing that is supposed to be done but when I try to check with InSpectre, it still says that Im not protected against Spectre. I have an OptiPlex 780 DT  with an Xeon X3370 and I also added the extra microcode for this particular CPU. Any idea why InSpectre shows no Spectre protection?



So far, Intel released Spectre-fixed microcode for 1st generation Core i series (Nehalem) and newer.

The latest microcode for Core 2 series addresses other vulnerabilities and bugs.

Intel security team email is: secure@intel.com, if you wish to 'persuade' them to release a microcode.










On another note, the latest version includes instructions for advanced users regarding installation to a local drive on top of the System Reserved partition.


----------



## AJNexus (Nov 18, 2018)

Regeneration said:


> So far, Intel released Spectre-fixed microcode for 1st generation Core i series (Nehalem) and newer.
> 
> The latest microcode for Core 2 series addresses other vulnerabilities and bugs.
> 
> ...



I see but it just seemed a little weird that it still appeared as unprotected in the InSpectre app... Maybe it's developer needs to update it with the latest Intel Microcode Update for Core 2 Family.

BTW I tried the method of yours regarding the installation to a local drive but this appeared. Any idea what's going on?


----------



## Regeneration (Nov 19, 2018)

AJNexus said:


> I see but it just seemed a little weird that it still appeared as unprotected in the InSpectre app... Maybe it's developer needs to update it with the latest Intel Microcode Update for Core 2 Family.
> 
> BTW I tried the method of yours regarding the installation to a local drive but this appeared. Any idea what's going on?



You didn't read my reply.


----------



## AJNexus (Nov 19, 2018)

Sure I read your reply, I was talking about this https://www.grc.com/inspectre.htm
You didn't read the last part of my reply


----------



## Regeneration (Nov 19, 2018)

AJNexus said:


> Sure I read your reply, I was talking about this https://www.grc.com/inspectre.htm
> You didn't read the last part of my reply



Intel Core 2 family never received a microcode update for Spectre from Intel. Even with the boot loader, the system will remain vulnerable at InSpectre.

The 'access denied' error is a result of insufficient permission. You need to login to recovery console with a user that has administrative privileges.

In addition, the FAT32 partition must be on the 1st drive in the beginning of the drive. If it cannot be achieved, syslinux.cfg must include its location (append root=/dev/sdXY).


----------



## AJNexus (Nov 19, 2018)

Regeneration said:


> Intel Core 2 family never received a microcode update for Spectre from Intel. Even with the boot loader, the system will remain vulnerable at InSpectre.
> 
> The 'access denied' error is a result of insufficient permission. You need to login to recovery console with a user that has administrative privileges.
> 
> In addition, the FAT32 partition must be on the 1st drive in the beginning of the drive. If it cannot be achieved, syslinux.cfg must include its location (append root=/dev/sdXY).



Actually I'm aware that Intel didn't bother to patch LGA775 for Spectre but I thought that the bootloader would trick the InSpectre... 

Thanks for the hints that you provided tho 
I scattered the whole web before asking here 

So basically what vulnerabilities in particular does the bootloader cover?


----------



## Regeneration (Nov 19, 2018)

AJNexus said:


> Actually I'm aware that Intel didn't bother to patch LGA775 for Spectre but I thought that the bootloader would trick the InSpectre...
> 
> Thanks for the hints that you provided tho
> I scattered the whole web before asking here
> ...



For your specific CPU, it will update the microcode to version A0E and fix some hardware bugs.


----------



## SoNic67 (Nov 19, 2018)

Peter Lindgren said:


> Why not use UBU Tool to modify your BIOS. No need for boot from USB?


1. Because not all BIOS are AMI compliant. Dell, HP, IBM...
2. Because you are changing the boot with a russian-developed tool. I don't know what is scarier - the possibility of Meltdown/Specter or unknowing what gets really added in your BIOS.


----------



## AJNexus (Nov 20, 2018)

Regeneration said:


> For your specific CPU, it will update the microcode to version A0E and fix some hardware bugs.



That's great but should I expect further updates in the future regarding microcode?


----------



## Regeneration (Nov 20, 2018)

AJNexus said:


> That's great but should I expect further updates in the future regarding microcode?



We can never know for sure.


----------



## techi (Nov 20, 2018)

Could Intel Core 2 Duo T5250 not be vulnerable to Spectre? Can Intel Microcode Boot Loader help?


----------



## erpguy53 (Nov 21, 2018)

AJNexus said:


> Actually I'm aware that Intel didn't bother to patch LGA775 for Spectre but I thought that the bootloader would trick the InSpectre...



that's because Inspectre checks the bios directly for the updated microcode; the bootloader can't "fool" it

plus some of the info on the web site for InSpectre is not up to date as its developer was not aware of the KB4100347 update for Windows 10 version 1803.   try contacting the developer.


----------



## Ludwig von Ay (Dec 8, 2018)

Is the microcode update for my CPU stored on the pendrive or will it be downloaded when booting? If stored on the pendrive, will it be updated automatically? Will the tool be updated?


----------



## Regeneration (Dec 8, 2018)

Ludwig von Ay said:


> Is the microcode update for my CPU stored on the pendrive or will it be downloaded when booting? If stored on the pendrive, will it be updated automatically? Will the tool be updated?



Stored on the pendrive, and the database will be updated time to time.


----------



## R-T-B (Dec 8, 2018)

SoNic67 said:


> Because you are changing the boot with a russian-developed tool.



I mean, I've looked at the script files in UBU and hex output from UBU and it does what it says and nothing more.  There is no reason to fear that tool solely for being Russian.  It utilizes UEFITool and AMITool for the injections (which are both made in the west if you're a rusophobe) and there is absolutely nothing nefarious there.

Being afraid of something because a russian made it is silly.  Anyone can make bad software.  You should be critisizing people for using any tool without a reputable coder or (better) a source audit, not for using a "scary russian" tool.  That tool is at least open in that it's literally a batch script wrapper for other open source utilities.  It can be audited.  It has been (by my person, at minimum).  It is harmless.

If you want to know something scary, it's that the forum you have to download it from (win-raid) seems to be using a reversible hash on passwords, and other bad practices.


----------



## Ludwig von Ay (Dec 8, 2018)

Regeneration said:


> Stored on the pendrive, and the database will be updated time to time.


Thank you Regeneration.

I created the pendrive, modified BIOS setup and booted from the stick. Before Windows I could see some text, but it was too fast to read. A small logfile on the pendrive would be nice, containing the last bootloader screen. Or "press any key to continue...". Maybe the latter could be switched on/off in a config file on the stick?

Regards, LvA


----------



## Aquinus (Dec 8, 2018)

Out of curiosity, is there a problem with the microcode that ships with most OS' people run? I mean my P9X79 Deluxe doesn't have these updates, but it doesn't have to if newer firmware is loaded the moment that the OS starts. So, I guess I don't really get the point of a tool like this. It's not also like there are all of these spectre exploits we need to protect ourselves from. This kind of feels like snake oil.


----------



## R-T-B (Dec 8, 2018)

Aquinus said:


> Out of curiosity, is there a problem with the microcode that ships with most OS' people run?



Yes.  Spectre primarily.  MS doesn't put out code for x58.


----------



## Honest Abe (Dec 8, 2018)

Aquinus said:


> Out of curiosity, is there a problem with the microcode that ships with most OS' people run? I mean my P9X79 Deluxe doesn't have these updates, but it doesn't have to if newer firmware is loaded the moment that the OS starts. So, I guess I don't really get the point of a tool like this. It's not also like there are all of these spectre exploits we need to protect ourselves from. This kind of feels like snake oil.


I'm not sure why anyone with a gaming pc would bother since it just will likely slow you down for no reason since the chance of anyone actaully using these exploits against some random gamer is like 00.1% Like any hacker cares about your "sensitive" files.


----------



## Regeneration (Dec 9, 2018)

Aquinus said:


> Out of curiosity, is there a problem with the microcode that ships with most OS' people run? I mean my P9X79 Deluxe doesn't have these updates, but it doesn't have to if newer firmware is loaded the moment that the OS starts. So, I guess I don't really get the point of a tool like this. It's not also like there are all of these spectre exploits we need to protect ourselves from. This kind of feels like snake oil.



Microcode is a firmware for the CPU. It corrects HW bugs (erratas) and security vulnerabilities. It is embedded with the BIOS/UEFI.

Linux automatically updates the microcode during boot.

Windows doesn't update the microcode unless Microsoft issues a patch for your CPU.

So far, Microsoft released an update for Windows 10 and Sandy Bridge and newer.


----------



## Aquinus (Dec 9, 2018)

Regeneration said:


> Microcode is a firmware for the CPU. It corrects HW bugs (erratas) and security vulnerabilities. It is embedded with the BIOS/UEFI.
> 
> Linux automatically updates the microcode during boot.
> 
> ...


So, if it's handled when the OS boots, why do I need this and why should I care?


----------



## Regeneration (Dec 9, 2018)

Aquinus said:


> So, if it's handled when the OS boots, why do I need this and why should I care?



It is not handled by all OSes and you should care for both stability and security reasons.

Best thing to do is to check from within the OS, the last microcode revision for your CPU is 0x714.


----------



## R-T-B (Dec 9, 2018)

Honest Abe said:


> Like any hacker cares about your "sensitive" files.



There are people who do care, since sensitive includes financial stuff.  Spectre isn't really ideal for that, but that being said, that's not the point of this thread nor the topic.



Aquinus said:


> So, if it's handled when the OS boots, why do I need this and why should I care?



X58 has microcode that MS doesn't handle.


----------



## Ludwig von Ay (Dec 9, 2018)

Honest Abe said:


> I'm not sure why anyone with a gaming pc would bother since it just will likely slow you down ...


I'm not shure if you can imagine there are some people out there who don't waste their time gaming but use their pc for useful things... They won't care about some microseconds I think.


----------



## Aquinus (Dec 9, 2018)

Regeneration said:


> It is not handled by all OSes and you should care for both stability and security reasons.
> 
> Best thing to do is to check from within the OS, the last microcode revision for your CPU is 0x714.


First of all, none of these fixes have anything to do with stability. I personally stopped using Windows 10 a couple years ago, but even then I was still getting microcode updates and with Ubuntu it's a non-issue. Would you care to enlighten me which OS don't provide microcode updates, because at least Windows 10 does and Linux has for a very long time.

```
jdoane@Kratos:~$ cat /proc/cpuinfo | grep microcode | head -n1
microcode    : 0x714
```



R-T-B said:


> X58 has microcode that MS doesn't handle.


...and are you surprised for a platform that's a decade old? Although I bet that Intel is probably still updating Linux firmware for those CPUs which means that Microsoft just doesn't want to ship them for one reason or another. Perhaps there is a reason for it beyond just being dated hardware?

All of this is fine and dandy, but none of this changes the fact that we still haven't seen a real situation where spectre has been used as a vector for attack. So why are we bending over backwards to close a hole that isn't even realistic to exploit to do something useful (or malicious)? I said this after I read the whitepaper for the proof-of-concept proving that spectre is indeed an exploit. It literally just managed to grab some information at a very slow rate and that any change in system state could actually change the data you're trying to read. As a software engineer, I would be extremely surprised if someone manages to use this exploit to do much of anything. It's part of the reason that I use these flags on boot:

```
pti=off spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier
```
The reality is that unless you're planning on running a multi-tenant server, almost none of this stuff helps us and only serves to hurt performance. ...and even in the case where it could be useful, we don't even have a single use case where the exploit has been usefully exploited.

So, pardon my skepticism, but I think that a lot of these exploits coming up have been hyped up far more than they should have. The reality is that almost no one would notice the difference. Just saying.


Ludwig von Ay said:


> They won't care about some microseconds I think.


It can be a lot more than microseconds and often is measurable in benchmarks beyond variation introduced by error and chaos.

Honestly, there was a lot of backlash for the performance hit of the latest "hardening" patches to the Linux kernel. So bad that it ended up getting yanked out of the kernel until it could be done in a way that doesn't cripple performance.
https://www.phoronix.com/scan.php?page=article&item=linux-420-stibp&num=1


----------



## R-T-B (Dec 9, 2018)

Aquinus said:


> Would you care to enlighten me which OS don't provide microcode updates, because at least Windows 10 does and Linux has for a very long time.



Am I on your ignore list or something?

Sandy bridge is the cutoff date for MS updates.  X58 is an example case.

EDIT:



Aquinus said:


> and are you surprised for a platform that's a decade old?



No, but it IS a use case and you are wanting use cases presumably.

Glad to have caught this, indicates I was wrong about being ignored.  Apologies.



Aquinus said:


> Perhaps there is a reason for it beyond just being dated hardware?



Honestly, doubtful.  I have an X58 server running it fine.



Aquinus said:


> pti=off



Your criticisms of Spectre as a bug are valid, however, doesn't this open you to the much worse meltdown situation?


----------



## Aquinus (Dec 9, 2018)

R-T-B said:


> Your criticisms of Spectre as a bug are valid, however, doesn't this open you to the much worse meltdown situation?


I trust the code running on my machine, so I don't feel that it's an important enough mitigation to keep turned on for my use case on this particular machine. This isn't a decision I would make for _any_ machine but, in this case I feel it's okay for this machine. I might change my mind about that assessment should I start letting other people (like the family,) use this computer, but right now I'm the sole user and I make every decision as to its operation and what runs on it.

With that said, my criticism really is mainly restricted to spectre variant mitigations.


----------



## erpguy53 (Mar 19, 2019)

I wonder if OP's Intel Microcode Boot Loader includes the newer "spectre" fixes from Intel security bulletin SA-00115 (CVE-2018-3639 & CVE-2018-3640):
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html

*THAT'S* the one that concerns me the most.  if the boot loader software does not have updated microcode for INTEL-SA-00115, then I'll pass and just apply any bios update that includes the fixes for CVE-2018-3639 & CVE-2018-3640


----------



## Regeneration (Mar 20, 2019)

erpguy53 said:


> I wonder if OP's Intel Microcode Boot Loader includes the newer "spectre" fixes from Intel security bulletin SA-00115 (CVE-2018-3639 & CVE-2018-3640):
> https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html
> 
> *THAT'S* the one that concerns me the most.  if the boot loader software does not have updated microcode for INTEL-SA-00115, then I'll pass and just apply any bios update that includes the fixes for CVE-2018-3639 & CVE-2018-3640



Yes, it includes the latest microcode from Intel, including Spectre variants 3a and 4, for qualified processors (see this list).


----------



## steen (Mar 20, 2019)

R-T-B said:


> Sandy bridge is the cutoff date for MS updates.  X58 is an example case.



That's not correct. NHM & WSM also get OS ucode updates.

Aside: I just had an interesting problem with an 1156 system with Win10 1809. Spectre mitigations would not enable with all Win10 patches in place. Even tried KB4465065. The problem was an incorrect BIOS ucode on an Acer/Emachines motherboard. The Clarkdale cpuid: 20655 had BIOS ucode rev14 dated 2010 which isn't possible. The latest for 20655 is 7, so on bootstrap the CPU didn't accept the latest OS rev6 (KB4465065=rev7) that enables Spectre mitigation. The solution was to edit the BIOS, delete the wrong ucode & patch to a correct 20655 revision. OS now loads newer patches correctly. This gives an interesting attack vector.


----------



## R-T-B (Mar 21, 2019)

steen said:


> That's not correct. NHM & WSM also get OS ucode updates.



Not that I've seen.  My brother runs an up to date X58 system.  No ucode updates via MS to date.


----------



## erpguy53 (Mar 21, 2019)

Regeneration said:


> Yes, it includes the latest microcode from Intel, including Spectre variants 3a and 4, for qualified processors (see this list).



ah that's good.

I got confused because Intel SA-00115 (CVE-2018-3639 & CVE-2018-3640) were not mentioned in your documentation (on your web site) and Readme files for the latest version your microcode boot loader software.  you should add them


----------



## xerces8 (May 19, 2019)

Is this based on biosbits.org ?

And therefore does not work in UEFI mode?

UEFI is more and more common these days. My system runs on it...

Regards,
David


----------



## Regeneration (May 19, 2019)

xerces8 said:


> Is this based on biosbits.org ?
> 
> And therefore does not work in UEFI mode?
> 
> ...



Yes. Most UEFI systems still get updates from the manufacturer. And besides, you can always enable legacy booting.


----------



## xerces8 (May 22, 2019)

Regeneration said:


> Most UEFI systems still get updates from the manufacturer.


Lenovo Yoga 500-14IBD released in early 2016 got the latest BIOS update in august 2016.
My Medion P530D from 2012 had the last update in ... 2012.

There are a lot of (UEFI) systems that get no updates.


----------



## Regeneration (May 22, 2019)

xerces8 said:


> Lenovo Yoga 500-14IBD released in early 2016 got the latest BIOS update in august 2016.
> My Medion P530D from 2012 had the last update in ... 2012.
> 
> There are a lot of (UEFI) systems that get no updates.



You can still run it via CSM / legacy boot.


----------



## xerces8 (May 23, 2019)

Of course.
But:
 - you have to reinstall the OS (in legacy mode)
 - you lose SecureBoot
 - you lose GPT (problem especially of the primary HDD is over 2TB)


----------



## Regeneration (Aug 20, 2019)

A new version is now available with updated microcode database.


----------



## Ludwig von Ay (Aug 20, 2019)

Hi Regeneration,

nothing else changed? So we just have to copy the database files to the stick?

Regards, Ludwig


----------



## Regeneration (Aug 20, 2019)

Ludwig von Ay said:


> Hi Regeneration,
> 
> nothing else changed? So we just have to copy the database files to the stick?
> 
> Regards, Ludwig



Yes.


----------



## John Naylor (Aug 21, 2019)

Regeneration said:


> In early 2018, security researchers discovered several security vulnerabilities affecting all processors: Meltdown and Spectre.



Has there yet been any documented instance of anyone being negatively affected by Spectre / Meltdown who has ignore all the patches and workarounds ?


----------



## agent_x007 (Aug 21, 2019)

Both in BIOS/UEFI and Windows Update ?


----------



## xerces8 (Dec 15, 2019)

Windows update only has microcode updates in Windows 10. Many people (around 50%) still use older Windows.

A working solution for UEFI systems:
 - boot Intel BITS (in BIOS legacy mode)
 - there update the CPU microcode
 - chainload Clover EFI bootloader (BITS is grub2, so it is easy)
 - from there boot youe EFI Windows (or other OS)

Clover can start in legacy mode and then swith to UEFI mode, this makes this trick work.


----------



## powered _by_Trex (Mar 12, 2021)

Sorry for the late bump.. but I could use your wise bits about using Intel Microcode Boot Loader.

What I have accomplished so far:
Made a bootable usb - copied the folder contents -ran the IMBL program and it installs successfully.

*Device to be run on* --->> Prehistoric laptop from 2007-2008. 
Fujitsu siemens amilo pi 2530 
Bios Type: Phoenix BIOS

When I try and run it on the laptop it goes into grub recovery with the error below.
The error is   /_boot_/_grub_/i386-pc/_normal_._mod normal_._mod not found._

(hd0,msdos1) This is where the boot(MBR) is installed (Boot only, OS files are on another partition).

When I run _ls_ command all the other partitions give this error _Error: unknown filesystem._
 the OS is installed on (hd0,msdos2). --->_ Error: unknown filesystem_.
(hd0,msdos3) --->  _ Error: unknown filesystem_.
(hd0,msdos5)  --->_ Error: unknown filesystem_.

PS:
UBU won't work on that machine so can't run that.




​https://www.techpowerup.com/forums/threads/intel-microcode-boot-loader.248858/reply


----------



## Regeneration (Mar 12, 2021)

powered _by_Trex said:


> Sorry for the late bump.. but I could use your wise bits about using Intel Microcode Boot Loader.
> 
> What I have accomplished so far:
> Made a bootable usb - copied the folder contents -ran the IMBL program and it installs successfully.
> ...


Your system must have special recovery parititon as 1st partition. That's probably the problem.


----------



## ThrashZone (Mar 12, 2021)

John Naylor said:


> Has there yet been any documented instance of anyone being negatively affected by Spectre / Meltdown who has ignore all the patches and workarounds ?


Hi,
Necro time lol 

No not in the least bit win-7 daily on four machines disable with Inspectre on all windows systems even 10 systems for any performance killing crap although I don't use 10 for much other than benchmarks.

GRC | InSpectre


----------



## powered _by_Trex (Mar 12, 2021)

Regeneration said:


> Your system must have special recovery parititon as 1st partition. That's probably the problem.


Thanks for the quick reply, yes it does have a separate recovery partition. Should I try the HD install method or is there a work around with USB?

**Edit*
Made some progress..
All errors have disappeared and when it boots it now boots to the grub prompt not the grub recovery prompt 
When I type Exit it boots into windows.

My question is .. does it actually load the cpu microcode when I type exit and loads windows like that?


----------



## Regeneration (Mar 12, 2021)

powered _by_Trex said:


> Thanks for the quick reply, yes it does have a separate recovery partition. Should I try the HD install method or is there a work around with USB?
> 
> **Edit*
> Made some progress..
> ...


Check the BIOS settings for hard drive order and set the USB HDD as 1st boot and drive. Sometimes there are several options.

Your hard drive might have non-standard partition layout. Some vendors have unique partition with OS installation files.


----------



## powered _by_Trex (Mar 12, 2021)

The boot order is set and there seems to be a mess in the partitions.

(hd0,msdos1)has the boot loader
(hd0,msdos2)has a bootloader as well(just incase hehehe) and OS.

I'm trying these commands in grub but won't budge 

set prefix=(hd0,msdos1)/boot/grub
set root=(hd0,msdos1)
insmod normal
normal

also tried

set prefix=(hd0,msdos2)/boot/grub
set root=(hd0,msdos2)
insmod normal
normal

****Edit***

NVM. Solved it !!*
The usb method wasn't working so opted to do it the localdrive method. Followed the instructions included in zip and now it works like a charm .
Updated the microcode to the latest 2021 version in \boot\mcu.

Thanks for the support and for this great tool.


----------



## Ludwig von Ay (Mar 13, 2021)

> Updated the microcode to the latest *2021 *version



The latest version from REGENERATION's website NGOHQ.COM or the mirror servers is 0.5.4 - November 26, *2019*!


----------



## Regeneration (Mar 13, 2021)

Ludwig von Ay said:


> The latest version from REGENERATION's website NGOHQ.COM or the mirror servers is 0.5.4 - November 26, *2019*!


You can update the microcode files manually.

There are repositories online. Like this one.

Just place the latest ucode for your CPU in \boot\mcu.


----------



## Ludwig von Ay (Mar 13, 2021)

Thank you Regeneration. I didn't know abaout those repositories.

I'll try to find the matching ucode later when I get access to that computer.


----------



## Ascii2 (Sep 2, 2021)

@Regeneration - Thanks for your tool described in this thread.  I look forward to trying it soon.

Does you Intel Microcode Boot Loader solution allow for updated microcode after hibernation or sleep/standby? For sleep/standby, my understanding is that states S2, S3, and S4 turn off the CPU.

I installed Intel Microcode Boot Loader 0.5.4 onto a 128 MB USB 2.0 flash drive with a FAT32 filesystem-formatted partition and connected it to one of my computer's motherboard USB 2.0 ports.  The motherboard is a Gigabyte P55-USB3 Revision 2.0 motherboard (see https://www.gigabyte.com/Motherboard/GA-P55-USB3-rev-20 for motherboard product page) and the CPU is an Intel Core i7-870 processor (CPUID: 106E5).  The motherboard uses BIOS and not UEFI.  I have five hard disks connected; each uses a SATA interface and has a single partition that is of Primary partition type that is formatted to NTFS filesystem.  I believe that the operating system that I wish to usually boot, Windows XP Professional with Service Pack 3, after microcode load, is installed to the third connected SATA hard disk's partition.

After setting the flash drive with Intel Microcode Boot Loader 0.5.4 to boot first, the drive was able to boot, but seemed to not do what it was supposed to do afterwards.  The screen text was as follows, with the first "..." omission indicator being mine (the second one is actually real output):


> SYSLINUX 6.03 EDD...
> Loading /boot/grub/lnxcore.img... ok
> 
> Welcome to GRUB!
> ...



Upon getting the error, it was not clear to me how to fix the problem.  I am unfamiliar with grub or Linux other than Android.

What must be done to get Intel Microcode Boot Loader 0.5.4 to function properly and have microcode reliably updated and operating system loaded?
I was also wondering, how does Intel Microcode Boot Loader 0.5.4 determine what to boot on computers that have many operating systems installed?


----------

