New
#180
Hi,
@qao :
Welcome to the forum and thanks for the links to the program. I find it excellent.
Cheers,
K, I thought I had done all the updates, but I'm still a bit confused on the items in bold. It appears I'm still vulnerable to Spectre, according to the SpectreMeltdownCheck .... What I'm I missing ?
1. KB4056892
2. cpumcupdate - microcode-20180108
3. According to HP and Get-SpeculationControlSettings - Appears my CPU doesn't need a BIOS update ?
PS C:\WINDOWS\system32> Get-SpeculationControlSettings
Speculation control settings for CVE-2017-5715 [branch target injection]
Hardware support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: False
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: False
Speculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for PCID performance optimization is enabled: True [not required for security]
Suggested actions
* Follow the guidance for enabling Windows Client support for speculation control mitigations described in https://support.microsoft.com/help/4073119
BTIHardwarePresent : True
BTIWindowsSupportPresent : True
BTIWindowsSupportEnabled : False
BTIDisabledBySystemPolicy : False
BTIDisabledByNoHardwareSupport : False
KVAShadowRequired : True
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : True
KVAShadowPcidEnabled : True
Yea, I don't get and I even tried doing the reg additions, which shouldn't be needed. I'm thinking I'm gonna need a BIOS update.That line is truly odd and contradicts the ones following it unless I really misunderstand something here....
The only other thing I've found is this over on TechNet.
I managed to enable the patch, but had to mod BIOS firmware with the latest microcode from intel for my CPU, i7-4960X on X79 ASUS Rampage IV Black Edition Mobo, Windows 10 x64 1709 16299.192
Before that I tried the VMWare driver, which gave me "hardware support for branch target injection mitigation: True", but I believe the OS loads the microcode too late for mitigation to be enabled.
Note that I did not have to add the registry keys as listed below to my machine in order to enable the patch:
Or else that the patched BIOS is not enough for the new microcode and requires actual new BIOS as well.
For my nearly ancient X58 mobo, here is what eVGA Tech LeeM had to say about BIOS updates for eVGA motherboards in their forums:
If all they needed was to update the microcode in any BIOS for any machine, well, Intel provided new microcode for damn near every CPU on 8 Jan: Download Linux* Processor Microcode Data FileThis is our current schedule for BIOS updates related to these vulnerabilities:
By end of this week*: Z170, Z270, Z370, X99, X299, Laptops.
Within 1-2 weeks*: X79, W888, Z87, Z97.
*Please note that this date is projected, contingent on receiving source code from Intel, and final testing may push the dates back temporarily.
At this point, we do not have source code from Intel to update X58, P67, or Z77 motherboards. When/if that becomes available, I'll provide an update.
But I suspect that there is more to the BIOS than just replacing the microcode - quite possibly it could be that it has built in safeguards to check the integrity of the microcode within itself before passing it on to the CPU, and if it doesn't pass the integrity test, it may do something else in the interim.
I don't know much about it, but it makes sense that this sort of check would be in there - after all, if not,someone could start spreading false BIOSs that were malicious in intent rather easily....
I do know that other parts of the BIOS have been successfully been updated, specially the Intel RAID ROM part, even for the BIOS for my machine, but haven't ever seen any real success on BIOS microcode modification working.