Intel Microcode Boot Loader

[R-T-B]

Because you are changing the boot with a russian-developed tool.

I mean, I've looked at the script files in UBU and hex output from UBU and it does what it says and nothing more. There is no reason to fear that tool solely for being Russian. It utilizes UEFITool and AMITool for the injections (which are both made in the west if you're a rusophobe) and there is absolutely nothing nefarious there.

Being afraid of something because a russian made it is silly. Anyone can make bad software. You should be critisizing people for using any tool without a reputable coder or (better) a source audit, not for using a "scary russian" tool. That tool is at least open in that it's literally a batch script wrapper for other open source utilities. It can be audited. It has been (by my person, at minimum). It is harmless.

If you want to know something scary, it's that the forum you have to download it from (win-raid) seems to be using a reversible hash on passwords, and other bad practices.

 

[Ludwig von Ay]

Stored on the pendrive, and the database will be updated time to time.

Thank you Regeneration.

I created the pendrive, modified BIOS setup and booted from the stick. Before Windows I could see some text, but it was too fast to read. A small logfile on the pendrive would be nice, containing the last bootloader screen. Or "press any key to continue...". Maybe the latter could be switched on/off in a config file on the stick?

Regards, LvA

 

[Aquinus]

Out of curiosity, is there a problem with the microcode that ships with most OS' people run? I mean my P9X79 Deluxe doesn't have these updates, but it doesn't have to if newer firmware is loaded the moment that the OS starts. So, I guess I don't really get the point of a tool like this. It's not also like there are all of these spectre exploits we need to protect ourselves from. This kind of feels like snake oil.

 

[R-T-B]

Out of curiosity, is there a problem with the microcode that ships with most OS' people run?

Yes. Spectre primarily. MS doesn't put out code for x58.

 

[Honest Abe]

Out of curiosity, is there a problem with the microcode that ships with most OS' people run? I mean my P9X79 Deluxe doesn't have these updates, but it doesn't have to if newer firmware is loaded the moment that the OS starts. So, I guess I don't really get the point of a tool like this. It's not also like there are all of these spectre exploits we need to protect ourselves from. This kind of feels like snake oil.

I'm not sure why anyone with a gaming pc would bother since it just will likely slow you down for no reason since the chance of anyone actaully using these exploits against some random gamer is like 00.1% Like any hacker cares about your "sensitive" files.

 

[Regeneration]

Out of curiosity, is there a problem with the microcode that ships with most OS' people run? I mean my P9X79 Deluxe doesn't have these updates, but it doesn't have to if newer firmware is loaded the moment that the OS starts. So, I guess I don't really get the point of a tool like this. It's not also like there are all of these spectre exploits we need to protect ourselves from. This kind of feels like snake oil.

Microcode is a firmware for the CPU. It corrects HW bugs (erratas) and security vulnerabilities. It is embedded with the BIOS/UEFI.

Linux automatically updates the microcode during boot.

Windows doesn't update the microcode unless Microsoft issues a patch for your CPU.

So far, Microsoft released an update for Windows 10 and Sandy Bridge and newer.

 

[Aquinus]

Microcode is a firmware for the CPU. It corrects HW bugs (erratas) and security vulnerabilities. It is embedded with the BIOS/UEFI.

Linux automatically updates the microcode during boot.

Windows doesn't update the microcode unless Microsoft issues a patch for your CPU.

So far, Microsoft released an update for Windows 10 and Sandy Bridge and newer.

So, if it's handled when the OS boots, why do I need this and why should I care?

 

[Regeneration]

So, if it's handled when the OS boots, why do I need this and why should I care?

It is not handled by all OSes and you should care for both stability and security reasons.

Best thing to do is to check from within the OS, the last microcode revision for your CPU is 0x714.

 

[R-T-B]

Like any hacker cares about your "sensitive" files.

There are people who do care, since sensitive includes financial stuff. Spectre isn't really ideal for that, but that being said, that's not the point of this thread nor the topic.

So, if it's handled when the OS boots, why do I need this and why should I care?

X58 has microcode that MS doesn't handle.

 

[Ludwig von Ay]

I'm not sure why anyone with a gaming pc would bother since it just will likely slow you down ...

I'm not shure if you can imagine there are some people out there who don't waste their time gaming but use their pc for useful things... They won't care about some microseconds I think.

 

[Aquinus]

It is not handled by all OSes and you should care for both stability and security reasons.

Best thing to do is to check from within the OS, the last microcode revision for your CPU is 0x714.

First of all, none of these fixes have anything to do with stability. I personally stopped using Windows 10 a couple years ago, but even then I was still getting microcode updates and with Ubuntu it's a non-issue. Would you care to enlighten me which OS don't provide microcode updates, because at least Windows 10 does and Linux has for a very long time.

jdoane@Kratos:~$ cat /proc/cpuinfo | grep microcode | head -n1
microcode    : 0x714

X58 has microcode that MS doesn't handle.

...and are you surprised for a platform that's a decade old? Although I bet that Intel is probably still updating Linux firmware for those CPUs which means that Microsoft just doesn't want to ship them for one reason or another. Perhaps there is a reason for it beyond just being dated hardware?

All of this is fine and dandy, but none of this changes the fact that we still haven't seen a real situation where spectre has been used as a vector for attack. So why are we bending over backwards to close a hole that isn't even realistic to exploit to do something useful (or malicious)? I said this after I read the whitepaper for the proof-of-concept proving that spectre is indeed an exploit. It literally just managed to grab some information at a very slow rate and that any change in system state could actually change the data you're trying to read. As a software engineer, I would be extremely surprised if someone manages to use this exploit to do much of anything. It's part of the reason that I use these flags on boot:

pti=off spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier

The reality is that unless you're planning on running a multi-tenant server, almost none of this stuff helps us and only serves to hurt performance. ...and even in the case where it could be useful, we don't even have a single use case where the exploit has been usefully exploited.

So, pardon my skepticism, but I think that a lot of these exploits coming up have been hyped up far more than they should have. The reality is that almost no one would notice the difference. Just saying.

They won't care about some microseconds I think.

It can be a lot more than microseconds and often is measurable in benchmarks beyond variation introduced by error and chaos.

Honestly, there was a lot of backlash for the performance hit of the latest "hardening" patches to the Linux kernel. So bad that it ended up getting yanked out of the kernel until it could be done in a way that doesn't cripple performance.
https://www.phoronix.com/scan.php?page=article&item=linux-420-stibp&num=1

 

[R-T-B]

Would you care to enlighten me which OS don't provide microcode updates, because at least Windows 10 does and Linux has for a very long time.

Am I on your ignore list or something?

Sandy bridge is the cutoff date for MS updates. X58 is an example case.

EDIT:

and are you surprised for a platform that's a decade old?

No, but it IS a use case and you are wanting use cases presumably.

Glad to have caught this, indicates I was wrong about being ignored. Apologies.

Perhaps there is a reason for it beyond just being dated hardware?

Honestly, doubtful. I have an X58 server running it fine.

pti=off

Your criticisms of Spectre as a bug are valid, however, doesn't this open you to the much worse meltdown situation?

 

[Aquinus]

Your criticisms of Spectre as a bug are valid, however, doesn't this open you to the much worse meltdown situation?

I trust the code running on my machine, so I don't feel that it's an important enough mitigation to keep turned on for my use case on this particular machine. This isn't a decision I would make for any machine but, in this case I feel it's okay for this machine. I might change my mind about that assessment should I start letting other people (like the family,) use this computer, but right now I'm the sole user and I make every decision as to its operation and what runs on it.

With that said, my criticism really is mainly restricted to spectre variant mitigations.

 

[erpguy53]

I wonder if OP's Intel Microcode Boot Loader includes the newer "spectre" fixes from Intel security bulletin SA-00115 (CVE-2018-3639 & CVE-2018-3640):
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html

THAT'S the one that concerns me the most. if the boot loader software does not have updated microcode for INTEL-SA-00115, then I'll pass and just apply any bios update that includes the fixes for CVE-2018-3639 & CVE-2018-3640

 

[Regeneration]

I wonder if OP's Intel Microcode Boot Loader includes the newer "spectre" fixes from Intel security bulletin SA-00115 (CVE-2018-3639 & CVE-2018-3640):
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html

THAT'S the one that concerns me the most. if the boot loader software does not have updated microcode for INTEL-SA-00115, then I'll pass and just apply any bios update that includes the fixes for CVE-2018-3639 & CVE-2018-3640

Yes, it includes the latest microcode from Intel, including Spectre variants 3a and 4, for qualified processors (see this list).

 

[steen]

Sandy bridge is the cutoff date for MS updates. X58 is an example case.

That's not correct. NHM & WSM also get OS ucode updates.

Aside: I just had an interesting problem with an 1156 system with Win10 1809. Spectre mitigations would not enable with all Win10 patches in place. Even tried KB4465065. The problem was an incorrect BIOS ucode on an Acer/Emachines motherboard. The Clarkdale cpuid: 20655 had BIOS ucode rev14 dated 2010 which isn't possible. The latest for 20655 is 7, so on bootstrap the CPU didn't accept the latest OS rev6 (KB4465065=rev7) that enables Spectre mitigation. The solution was to edit the BIOS, delete the wrong ucode & patch to a correct 20655 revision. OS now loads newer patches correctly. This gives an interesting attack vector.

 

[R-T-B]

That's not correct. NHM & WSM also get OS ucode updates.

Not that I've seen. My brother runs an up to date X58 system. No ucode updates via MS to date.

 

[erpguy53]

Yes, it includes the latest microcode from Intel, including Spectre variants 3a and 4, for qualified processors (see this list).

ah that's good.

I got confused because Intel SA-00115 (CVE-2018-3639 & CVE-2018-3640) were not mentioned in your documentation (on your web site) and Readme files for the latest version your microcode boot loader software. you should add them

 

[xerces8]

Is this based on biosbits.org ?

And therefore does not work in UEFI mode?

UEFI is more and more common these days. My system runs on it...

Regards,
David

 

[Regeneration]

Is this based on biosbits.org ?

And therefore does not work in UEFI mode?

UEFI is more and more common these days. My system runs on it...

Regards,
David

Yes. Most UEFI systems still get updates from the manufacturer. And besides, you can always enable legacy booting.

 

[xerces8]

Most UEFI systems still get updates from the manufacturer.

Lenovo Yoga 500-14IBD released in early 2016 got the latest BIOS update in august 2016.
My Medion P530D from 2012 had the last update in ... 2012.

There are a lot of (UEFI) systems that get no updates.

 

[Regeneration]

Lenovo Yoga 500-14IBD released in early 2016 got the latest BIOS update in august 2016.
My Medion P530D from 2012 had the last update in ... 2012.

There are a lot of (UEFI) systems that get no updates.

You can still run it via CSM / legacy boot.

 

[xerces8]

Of course.
But:
- you have to reinstall the OS (in legacy mode)
- you lose SecureBoot
- you lose GPT (problem especially of the primary HDD is over 2TB)

 

[Regeneration]

A new version is now available with updated microcode database.

 

[Ludwig von Ay]

Hi Regeneration,

nothing else changed? So we just have to copy the database files to the stick?

Regards, Ludwig