This week’s tech and non-tech media was pretty loud about the two, now infamous Spectre and Meltdown security holes found in most modern CPUs, so I’m not going to go into any technical specifics regarding them. For interested people here is some detailed info, but in the meantime, I’m going to share some thoughts and findings about it from my side of things. Fortunately enough, I have both an old Sandy Bridge and a quite new(ish) Kaby Lake config at my disposal, so I can directly report how things fare at both ends of the Core series of Intel processors from a user perspective. So here we go.
Let’s start with the less interesting (but not entirely uninteresting) end of things, the Kaby Lake CPUs. As the reader probably already knows, these 7th Gen. Intel CPUs are just as affected by the aforementioned security issues, as pretty much any older, today still relevant CPU from Intel. To mitigate the problem, CPU microcode updates (among other things) were released, and are now being incorporated by major motherboard manufacturers. Or at least this should be the case. As it turns out, not every manufacturer is quick to respond (at least in terms of communication) to such critical issues. For instance, Gigabyte, Asus, MSI, Dell, Lenovo and more than likely some others have already set up their respective microsites, where they inform users about the issues and steps they will take to mitigate the problems. As of the writing of this post however, quite astonishingly, ASRock, EVGA, AOpen, and some others did not. I don’t doubt that these latter companies will also release updated BIOS (UEFI) images at some point, but from a customer’s perspective the conduct of the former companies is far more likeable.
From what is seen right now, is that new(er) desktop systems (with 100, 200, 300 series and X99, X299 chipsets) will receive BIOS updates, but older configs out there might simply be dead in the water. On the laptop side of things, Lenovo for example lists all machines down to the Ivy Bridge generation that will receive updated BIOS images, but below that, nobody knows what will happen. Should we be concerned now? Well, both yes and no. No, because Intel seems to treat security quite seriously, so there is always hope. Yes, because the still not quite died out Sandy Bridge CPUs did not get any support for Windows 10 from Intel, so Ivy Bridge might just be the line where the company stops pushing out microcode updates as well.
So the obvious questions arise: what happens if Intel does release a microcode update for Sandy Bridge, and maybe even for Nehalem or older, but the OEMs do not issue a BIOS update? And what if there is no new microcode? The answer to the first question is easy: despite the fact that it is usually the BIOSs that are used to upgrade to new CPU microcodes, a BIOS is not the only route towards having the latest thing. OSs are also capable of loading CPU microcodes on a per boot basis, which means one could use the latest microcode without ever updating a BIOS. The obvious downside is that this approach is restricted to the actual OS instance found on a computer, so a dual-boot setup would require, that both OSs (regardless of type and version) incorporate and load the new microcode at every boot. On the bright side, one cannot brick the computer this way, as the the BIOS is not touched at all.
If one thinks that doing an OS level microcode “update” is an hours long fiddly task, well it is not. As a matter of fact, applying a microcode update on a Gentoo Linux system is a pretty straightforward process, as it is discussed in a corresponding wiki page. On other Linux distributions the procedure(s) presented on the above mentioned wiki page should be pretty similar. On a Windows based system the steps are as easy as it can get, as it is shown in the linked Youtube video. Other sources describe pretty much the same procedure as well, so it should work.
OK, but what about the second question, when there will be no new microcode? Well, that is a tough one. Since there will probably be no sign (in logs) of a successful attack using these flaws on a particular system, it is pretty hard to determine whether we were or are affected by this. It is also unclear now if antivirus packages will be able to detect malware using these techniques. This uncertainty alone makes one really wonder if it the time to upgrade the CPU to a newer gen (should be possible on 6x and 7x series motherboards) on desktop (and server) systems. Since laptops seldom make it possible just to pop a newer gen CPU into the motherboard (lack of BIOS updates), no other solution seems to available, but to replace the entire machine, which is unfortunately far more costly.
To also present you with some specifics, as the screen captures above show, the (as of now) latest (20180108) CPU microcode update package found here does not contain a newer microcode for my Sandy CPU. The latest is from 2013. Also, the above linked Lenovo site right now does not list “Target availability” dates for computers with CPUs older than Ivy Bridge, which could mean that Intel does not intend to update microcodes for these and older CPUs. So, there is concern. On the brighter side of things, I made a small performance test prior to and after applying the latest Windows patches on the Sandy based computer, and the performance drop of the CPU itself was negligible, only the 2D performance of the integrated GPU had some slightly more visible drop (screen captures below). This patch however does not solve all issues, so if no microcode updates come within a month, the only available “patch” to me will be a newer machine.
As a conclusion, I could only say that the next couple of weeks will be rather interesting, especially considering that Microsoft did patch their long abandoned Windows XP OS last year to defend against the (also quite infamous) WannaCry malware, so hopefully Intel will follow the same logic and will decide not to leave Sandy Bridge and Nehalem owners in trouble. I most certainly hope so.
Until then, as always, thanks for reading.
Intel did withdraw the aforementioned microcode updates (20180108) due to causing system instabilities, so as of 2018-02-17, no CPU level mitigations are available for these bugs. The latest microcode update availeble on Intel’s site now is 20171117.
The latest microcode update is 20180807. Interestingly, Gigabyte for e.g. hasn’t released new BIOS updates for Z170 based boards (Intel 6th & 7th gen) since 20180309, despite the fact that several other new microcode updates were released since then.
Anyway, if you want to check if your computer is still affected by these security issues, I suggest you to download and run the following script on your Linux or BSD system. The script will give you detailed analysis and info about how all the variants of these bugs affect your system. For checking a Windows box, please read this article.