Windows Client Guidance against speculative execution vulnerabilities
-
Hi,
Microsoft can only update the microcode.
Not quite. What it does is make the OS think this is what the MCU actually is. Which in firmware terms it is not.
IOW, it emulates the correct MC to the OS but as far as the cpu is concerned it's still at the previous version as provided by the OEM bios/efi etc.
Cheers,
-
-
Interesting ... I have a HP Envy 17 m7-k010dc laptop ... different CPU (i7-4710hq) , but same CPUID (306C3) and Inspectre says I'm good. The only patch I applied was the latest cpumcupdate microcode.
Attachment 182853
Note: HP told me that my HP Envy 17 m7-k010dc wasn't vulnerable and there would be no BIOS update.
Update: So just out of curiosity, I just went and checked hp support/drivers for my laptop and it shows a BIOS Update ... F.55 3-9-2018 and I'm currently at F.54 10-23-2017
Note: My laptop still isn't listed on their Security Bulletin Page.
-
Hi,
Note: HP told me that my HP Envy 17 m7-k010dc wasn't vulnerable and there would be no BIOS update
I believe the latter part, not the former one.
The only patch I applied was the latest cpumcupdate microcode
Cpumcupdate works in a similar way to MS, it loads the MCU by way of a driver as the OS gets loaded.
Cheers,
-
Hmmmm, I guess HP was mistaken ... LOL
I applied the BIOS update and after reboot I checked Event Viewer for the cpumcupdate info and it said no cpus needed updating (I may not need the patch) ... InSpectre said I was good, so I uninstalled the cpumcupdate and rebooted. InSpectre says I'm good, but now it actually shows the Disable Spectre Protection, where before it showed Enable Spectre Protection.
Note: I also ran the Powershell Speculation Control Check and it shows everything in Green (before it didn't)... So now I'm 99% confident that my laptop is not vulnerable, where I wasn't before :)
-
-
InSpectre said I was good, so I uninstalled the cpumcupdate and rebooted. InSpectre says I'm good, but now it actually shows the Disable Spectre Protection, where before it showed Enable Spectre Protection.
It says "Disable", because it gives you the option to disable it, if you feel that you have a performance issue!
-
It says "Disable", because it gives you the option to disable it, if you feel that you have a performance issue!
Right, but it seemed strange that InSpectre would tell me I'm good, but still show the Enable Spectre Protection.
-
Right, but it seemed strange that InSpectre would tell me I'm good, but still show the Enable Spectre Protection.
"Good" is not PERFECT, it's just good, i.e. acceptable based on some (unknown, to me at least) metrics. If you are not satisfied with acceptable, you can disable it!
-
Hi,
Not quite. What it does is make the OS think this is what the MCU actually is. Which in firmware terms it is not.
IOW, it emulates the correct MC to the OS but as far as the cpu is concerned it's still at the previous version as provided by the OEM bios/efi etc.
Cheers,
Do you have a source on this?
-
Right, but it seemed strange that InSpectre would tell me I'm good, but still show the Enable Spectre Protection.
The "good" only has to do with the rating of the performance of your machine with the given patches applied - whatever they are. It doesn't mean your machine is good in terms of protection against meltdown and spectre.
I have an hp stream 11 and I have meltdown and spectre disabled and I get a "good" rating. If I enable meltdown protection, I lose the good and get "slower".
-
-
Sorry, when I said InSpectre told I'm good ... I actually meant that it said I was protected and that it showed System is Spectre Protected YES, yet showed the Enable Spectre Protection button, which If I clicked on it never actually did anything and made me question if I was actually protected. After the BIOS update it shows System is Spectre Protected YES and the Disable Spectre Protection Button.
Before BIOS Update
After BIOS Update