Windows 10: Windows Client Guidance against speculative execution vulnerabilities

Page 60 of 64 FirstFirst ... 10505859606162 ... LastLast
  1.    2 Weeks Ago #590

    fdegrove said: View Post
    Hi,



    MC is a software interpretation layer that sits between the cpu's firmware and the computer system as a whole and resides in the cpu's non-volatile memory. Once it's updated it stays that way untill the next update etc.
    In a way it can be viewed as a piece of software that talks to the cpu telling it how to "read" and "execute" instructions coming from the system.

    Cheers,
    It was my understanding that while the CPU's permanent microcode resides in non-volatile CPU memory, the BIOS/UEFI loads the microcode update into volatile CPU memory on boot.
      My ComputerSystem Spec

  2.    2 Weeks Ago #591

    Hi,

    That non-volatile memory can be written to. IOW, it can be flashed just like a BIOS/UEFI, RAID ROM, MEI/AMT management blocks and such.
    It suffices to put the CPU with the latest MCU in a different system board to read out the current MC status. It will be the most current one, i.e. the flashed one.

    Cheers,
      My ComputersSystem Spec

  3.    2 Weeks Ago #592

    Then the information on the Debian Wiki must be wrong.

    Processor microcode is akin to processor firmware. The kernel is able to update the processor's firmware without the need to update it via a BIOS update. A microcode update is kept in volatile memory, thus the BIOS/UEFI or kernel updates the microcode during every boot.

    Microcode - Debian Wiki


    And according to Mozilla.org,

    Microcode updates can be loaded onto the CPU by firmware (usually called BIOS even on computers that technically have UEFI firmware instead of old-style BIOS) or by the operating system. Microcode updates do not persist across reboot, so in the case of a dual-boot system, if the microcode update isn't delivered via BIOS, both operating systems have to provide the update.

    Updating processor microcode | Firefox Help
      My ComputerSystem Spec

  4.    2 Weeks Ago #593

    Hi,

    No, both are correct and act in a similar way as MS does when no bios/uefi MCU is available.
    Note also that these methods are not persistent so these updates needs to be loaded every time the machine starts/restarts.

    So, the only way to make it persistent all the time is to flash the CPU's MC.

    Cheers,
      My ComputersSystem Spec

  5.    2 Weeks Ago #594

    Hi,

    For info:

    Title: Microsoft Security Advisory Notification
    Issued: April 10, 2018
    ********************************************************************

    Security Advisories Released or Updated on April 10
    ===================================================================

    * Microsoft Security Advisory ADV180002

    - Title: Guidance to mitigate speculative execution side-channel
    vulnerabilities
    - [https:https://portal.msrc.microsoft.com/en...rity-guidance/
    advisory/ADV180002
    - Reason for Revision:
    The following updates have been made: 1. Updated FAQ#10 to
    provide additional links for more information about updating
    an AMD-based device. 2. Added FAQ #15 to announce that security
    update 4093112 for Windows 10 Version 1709 provides addtional
    mitigations for AMD processors for CVE-2017-5715, and to provide
    further information about these mitigations. 3. Added FAQ #16 to
    announce that AMD has started to release microcode updates around
    Spectre variant 2 (CVE 2017-5715 Branch Target Injection) for
    newer CPU platforms.

    - Originally posted: January 3, 2018
    - Updated: April 10, 2018
    - Version: 16.0
    Source: MS e-mail


    Cheers,
      My ComputersSystem Spec

  6.    2 Weeks Ago #595

    fdegrove said: View Post

    No, both are correct and act in a similar way as MS does when no bios/uefi MCU is available.

    It seems to me that both articles are saying that regardless if the BIOS/UEFI or the operating system updates the microcode, the microcode is updated every time the computer reboots because the update is being written to volatile memory.
    Last edited by Ground Sloth; 2 Weeks Ago at 10:09.
      My ComputerSystem Spec

  7.    2 Weeks Ago #596

    Hi,

    Microcode updates do not persist across reboot, so in the case of a dual-boot system, if the microcode update isn't delivered via BIOS, both operating systems have to provide the update.
    Cheers,
      My ComputersSystem Spec

  8.    2 Weeks Ago #597

    I have to respectfully disagree with your interpretation of that sentence.

    In any case, the Debian wiki article is more clear about the BIOS/UEFI needing to update the microcode every time the computer is rebooted.

    I also found the following comment from a moderator on SuperUser.com:

    Microcode updates are not permanent and vanish when the CPU is reset. The microcode updates are usually supplied via motherboard firmware updates. The firmware updates the CPU microcode when your system boots and so the way to roll back an update is to roll back your motherboard firmware.

    cpu - Can Intel microcode updates be rolled back? - Super User
      My ComputerSystem Spec

  •    2 Weeks Ago #598

    Hi,

    Sorry but I'm 100% certain I am correct.
    It appears you seem to be stuck on how Debian (Linux) updates MC through the OS.
    And of course if you reflash the CPU's MC with a previous version of it then you effectively rolled it back.

    As said before, flash update a CPU's MC on system one, move that CPU to system two and you'll find the MC of the chip is exactly the same on both boards. Permanently and persistently so.

    Cheers,
      My ComputersSystem Spec


  • Posts : 43
    Win10 Pro x64 / WinServer 2016 Essentials
       2 Weeks Ago #599

    Ground Sloth said: View Post
    I have to respectfully disagree with your interpretation of that sentence.

    In any case, the Debian wiki article is more clear about the BIOS/UEFI needing to update the microcode every time the computer is rebooted.

    I also found the following comment from a moderator on SuperUser.com:




    cpu - Can Intel microcode updates be rolled back? - Super User
    The Debian Wiki article is 100% correct. Intel Microcode modifications are volatile and do not permanently alter original Microcode versions baked into the silicon. This is why ideally any update is deployed early after system boot. The BIOS is a good candidate for this purpose as its code is executed traditionally before any OS gets its turn.
      My ComputerSystem Spec


  •  
    Page 60 of 64 FirstFirst ... 10505859606162 ... LastLast

    Related Threads
    The PowerShell script execution policies enables you to determine which Windows PowerShell scripts (if any) will be allowed to run on your computer. Windows PowerShell has four different execution policies: Execution Policy Description ...
    Source: Mitigating speculative execution side-channel attacks in Microsoft Edge and Internet Explorer - Microsoft Edge Dev Blog See also update: Cumulative Update KB4056892 Windows 10 v1709 Build 16299.192 - Windows 10 Forums
    Source: Google Online Security Blog: Disclosing vulnerabilities to protect users
    Windows 10 - Need some guidance on recovery in Installation and Upgrade
    One of my spare Windows 10 machines is on life support. I must have clobbered it somehow when I was tweaking the multiple display settings ( to incorporate a HDMI projector). It actually worked fine all week, but today, when I tired to set it...
    Read more: http://www.zdnet.com/article/microsoft-offers-it-guidance-to-prepare-for-windows-as-a-service/
    Our Sites
    Site Links
    About Us
    Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

    Designer Media Ltd
    All times are GMT -5. The time now is 03:24.
    Find Us