Meltdown and Spectre

[headkaze]

We can edit BIOS with MMTool to have that microcode permanently in hackintosh. (people that have older motherboards that don't get BIOS updates essentially have no other alternative )

TLDR: The latest AMI Aptio MMTool v5.0.0.7 does not seem to work patching CPU microcode on Aptio V BIOSes.

So I tried using UBU first but I had to extract my BIOS first (using Rufus to create a boot disk and running "AFUDOS.exe EB123IMS.610 /O" to extract the BIOS). You have to get MMTool.exe v5.0.0.7 and copy it into UBU folder. Then I copied my BIOS file (EB123IMS.610) to the UBU folder and ran "UBU.bat" as admin.

Here is the output:

Scanning BIOS... Please wait...
Platform BIOS AMI Aptio 5
Brand Micro-Star International Co., Ltd.
Found _FIT_ in GUID B52282EE-9B66-44B9-B1CF-7E5040F787C1
Found Option ROM VBIOS in GUID A0327FE0-1FDA-4E5B-905D-B510C45A61D0 C5A4306E-E247-4ECD-A9D8-5B1985D3DCDA
Found Option ROM in GUID A0327FE0-1FDA-4E5B-905D-B510C45A61D0 D46346CA-82A1-4CDE-9546-77C86F893888
Found Option ROM in GUID A0327FE0-1FDA-4E5B-905D-B510C45A61D0 27D36B9B-D456-4D30-8062-77150A98607E
Found Option ROM in GUID A0327FE0-1FDA-4E5B-905D-B510C45A61D0 50339D20-C90A-4BB2-9AFF-D8A11B23BC15
Found EFI Intel GOP Driver GUID A0327FE0-1FDA-4E5B-905D-B510C45A61D0 380B6B4F-1454-41F2-A6D3-61D1333E8CB4
Found EFI Intel Raid Controller GUID 91B4D9C1-141C-4824-8D02-3C298E36EB3F
Found EFI AMI NVMe Driver GUID 634E8DB5-C432-43BE-A653-9CA2922CC458
Found EFI Intel LAN Gigabit Undi GUID DEB917C0-C56A-4860-A05B-BF2F22EBB717

 This BIOS on Aptio 5 platform, known issues:
  - It is not supported by the update files in the GUID A0327FE0-1FDA-4E5B-905D-B510C45A61D0
  - There may be problems with updating the CPU microcode

Press any key to continue . . .

File (1/1): cpuffs.tmp

+------------------------------------------------------------------------------------------------------+
|                                                Intel                                                 |
+---+-------+-----------------+---------+------------+---------+---------+----------+---------+--------+
| # | CPUID |     Platform    | Version |    Date    | Release |   Size  | Checksum |  Offset | Latest |
+---+-------+-----------------+---------+------------+---------+---------+----------+---------+--------+
| 1 | 906E9 |    22 [1, 5]    |    48   | 2016-11-15 |   PRD   | 0x17800 | 4761D4C9 |   0x18  |   No   |
+---+-------+-----------------+---------+------------+---------+---------+----------+---------+--------+
| 2 | 506E3 | 36 [1, 2, 4, 5] |    A6   | 2016-08-21 |   PRD   | 0x17C00 | E951671F | 0x17818 |   No   |
+---+-------+-----------------+---------+------------+---------+---------+----------+---------+--------+
| 3 | 506E8 |    22 [1, 5]    |    34   | 2016-07-10 |   PRD   | 0x17800 | 57D53E7A | 0x2F418 |  Yes   |
+---+-------+-----------------+---------+------------+---------+---------+----------+---------+--------+
    Current version - GUID 17088572-377F-44EF-8F4E-B09FFF46A070

        Update Intel CPU MicroCode

1 - Update CPU MicroCode Skylake
3 - View CPU Microcode Patch list
m - User Select Microcode File
e - View and Extract all CPU Microcodes
s - Search for available microcode in DB.
0 - Exit to Main Menu

Enter number:1

  Attention!
If you select two microcode may require an adjustment in the _FIT_

        Select Microcode for CPU Kabylake (LGA1151)

        34 Version 34 Date 10-07-2016
        3A Version 3A Date 22-08-2016
        3C Version 3C Date 05-09-2016
        3E Version 3E Date 16-09-2016
        42 Version 42 Date 02-10-2016
        48 Version 48 Date 15-11-2016
        58 Version 58 Date 09-03-2017
        5E Version 5E Date 06-04-2017 - Bug fix HT
        70 Version 70 Date 09-03-2017
        7C Version 7C Date 03-12-2017
        80 Version 80 Date 04-01-2018
        0  Skip

Enter Microcode:80

        Select Microcode for CPU Skylake (LGA1151)

        10 Version 10 Date 22-04-2015
        16 Version 16 Date 13-05-2015
        1A Version 1A Date 28-05-2015
        1C Version 1C Date 02-06-2015
        1E Version 1E Date 10-06-2015
        20 Version 20 Date 18-06-2015
        24 Version 24 Date 01-07-2015
        2E Version 2E Date 21-07-2015
        30 Version 30 Date 29-07-2015
        32 Version 32 Date 04-08-2015
        34 Version 34 Date 08-08-2015
        3A Version 3A Date 23-08-2015
        4A Version 4A Date 18-09-2015
        4C Version 4C Date 01-10-2015
        50 Version 50 Date 12-10-2015
        56 Version 56 Date 24-10-2015
        5C Version 5C Date 06-11-2015
        6A Version 6A Date 14-12-2015
        74 Version 74 Date 05-01-2016 - Last for non-K overclocking
        76 Version 76 Date 07-01-2016
        7C Version 7C Date 31-01-2016
        82 Version 82 Date 21-02-2016
        84 Version 84 Date 01-03-2016
        88 Version 88 Date 16-03-2016
        8A Version 8A Date 06-04-2016
        9E Version 9E Date 22-06-2016
        A0 Version A0 Date 27-06-2016
        A2 Version A2 Date 27-07-2016
        A6 Version A6 Date 21-08-2016
        B2 Version B2 Date 01-02-2017
        BA Version BA Date 09-04-2017 - Bug fix HT
        BE Version BE Date 20-08-2017
        C2 Version C2 Date 16-11-2017
        0  Exit

Enter Microcode:c2
Checksum correct. Microcode not damaged.
Checksum correct. Microcode not damaged.
Generate FFS files Microcode
Found 2 module(s).
Remove "Empty" module.
Restore "Empty" module...

But when MMTool.exe is launched by the batch I get "Error in Replacing File".

So next I tried using MMTool.exe manually. First I got CPU-Z to get CPU ID (which is Family-Model-Stepping) then got the latest Microcode for my Intel CPU (in my case it's an i7-7700T).

As you can see when I go to save the new BIOS I get "Error in Saving".

My guess is if the saving works you can flash the BIOS using "AFUDOS.EXE EB123IMS.610 /GAN" (which will force flashing of a modded BIOS). Seems like a pretty risky process so I'm not even sure if I would go ahead with it. Anyway I thought I would post my results here out of interest sake.

Disclaimer: Flashing a custom BIOS is risky and may prevent your PC from booting. Attempt any of the above at your own risk!

 

[Mikorist]

Excellent posting by David Woodhouse (He is a Kernel Engineer at Intel.)

I think we've covered the technical part of this now, not that you like
it — not that any of us *like* it. But since the peanut gallery is
paying lots of attention it's probably worth explaining it a little
more for their benefit.

This is all about Spectre variant 2, where the CPU can be tricked into
mispredicting the target of an indirect branch. And I'm specifically
looking at what we can do on *current* hardware, where we're limited to
the hacks they can manage to add in the microcode.

The new microcode from Intel and AMD adds three new features.

One new feature (IBPB) is a complete barrier for branch prediction.
After frobbing this, no branch targets learned earlier are going to be
used. It's kind of expensive (order of magnitude ~4000 cycles).

The second (STIBP) protects a hyperthread sibling from following branch
predictions which were learned on another sibling. You *might* want
this when running unrelated processes in userspace, for example. Or
different VM guests running on HT siblings.

The third feature (IBRS) is more complicated. It's designed to be
set when you enter a more privileged execution mode (i.e. the kernel).
It prevents branch targets learned in a less-privileged execution mode,
BEFORE IT WAS MOST RECENTLY SET, from taking effect. But it's not just
a 'set-and-forget' feature, it also has barrier-like semantics and
needs to be set on *each* entry into the kernel (from userspace or a VM
guest). It's *also* expensive. And a vile hack, but for a while it was
the only option we had.

Even with IBRS, the CPU cannot tell the difference between different
userspace processes, and between different VM guests. So in addition to
IBRS to protect the kernel, we need the full IBPB barrier on context
switch and vmexit. And maybe STIBP while they're running.

Then along came Paul with the cunning plan of "oh, indirect branches
can be exploited? Screw it, let's not have any of *those* then", which
is retpoline. And it's a *lot* faster than frobbing IBRS on every entry
into the kernel. It's a massive performance win.

So now we *mostly* don't need IBRS. We build with retpoline, use IBPB
on context switches/vmexit (which is in the first part of this patch
series before IBRS is added), and we're safe. We even refactored the
patch series to put retpoline first.

But wait, why did I say "mostly"? Well, not everyone has a retpoline
compiler yet... but OK, screw them; they need to update.

Then there's Skylake, and that generation of CPU cores. For complicated
reasons they actually end up being vulnerable not just on indirect
branches, but also on a 'ret' in some circumstances (such as 16+ CALLs
in a deep chain).

The IBRS solution, ugly though it is, did address that. Retpoline
doesn't. There are patches being floated to detect and prevent deep
stacks, and deal with some of the other special cases that bite on SKL,
but those are icky too. And in fact IBRS performance isn't anywhere
near as bad on this generation of CPUs as it is on earlier CPUs
*anyway*, which makes it not quite so insane to *contemplate* using it
as Intel proposed.

That's why my initial idea, as implemented in this RFC patchset, was to
stick with IBRS on Skylake, and use retpoline everywhere else. I'll
give you "garbage patches", but they weren't being "just mindlessly
sent around". If we're going to drop IBRS support and accept the
caveats, then let's do it as a conscious decision having seen what it
would look like, not just drop it quietly because poor Davey is too
scared that Linus might shout at him again.

I have seen *hand-wavy* analyses of the Skylake thing that mean I'm not
actually lying awake at night fretting about it, but nothing concrete
that really says it's OK.

If you view retpoline as a performance optimisation, which is how it
first arrived, then it's rather unconventional to say "well, it only
opens a *little* bit of a security hole but it does go nice and fast so
let's do it".

But fine, I'm content with ditching the use of IBRS to protect the
kernel, and I'm not even surprised. There's a *reason* we put it last
in the series, as both the most contentious and most dispensable part.
I'd be *happier* with a coherent analysis showing Skylake is still OK,
but hey-ho, screw Skylake.

The early part of the series adds the new feature bits and detects when
it can turn KPTI off on non-Meltdown-vulnerable Intel CPUs, and also
supports the IBPB barrier that we need to make retpoline complete. That
much I think we definitely *do* want. There have been a bunch of us
working on this behind the scenes; one of us will probably post that
bit in the next day or so.

I think we also want to expose IBRS to VM guests, even if we don't use
it ourselves. Because Windows guests (and RHEL guests; yay!) do use it.

If we can be done with the shouty part, I'd actually quite like to have
a sensible discussion about when, if ever, we do IBPB on context switch
(ptraceability and dumpable have both been suggested) and when, if
ever, we set STIPB in userspace.

https://lkml.org/lkml/2018/1/22/598

 

[mutatio]

Intel faces class action lawsuits regarding Meltdown and Spectre

https://arstechnica.com/gadgets/201...tion-lawsuits-regarding-meltdown-and-spectre/

Maybe it's just my opinion.

This is the right moment for Apple to consider Switch to AMD and ARM CPU’s


That would expand Buyer's Guide to the unbelievable number of machines.

Maybe others have noted this, but ARM and AMD CPUs were similarly affected by Spectre. I'm not sure off the cuff as to why Intel took the beating on this one, aside from the fact that they are the biggest name in processors.

"More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, we have verified Spectre on Intel, AMD, and ARM processors," the researchers said.

http://money.cnn.com/2018/01/03/technology/computer-chip-flaw-security/index.html

 

[Jamesbond007]

https://support.apple.com/en-us/HT208465

Apple has just released Security Updates 2018-001 for both El Capitan 10.11.6 and Sierra 10.12.6 which contain mitigations for Meltdown. So now in addition to High Sierra both El Capitan and Sierra should be protected from Meltdown.

 

[gamingaccess]

Anybody experienced performance issues between 10.13.1 and 10.13.2?

Spectre and Meltdown patches are in this version.

I am not sure if there are performance issues and I would love to know if someone has some benchmarks.

Thanks in advance.

 

[Mikorist]

Anybody experienced performance issues between 10.13.1 and 10.13.2?

Nope.

I'm currently updating to 10.13.3


Before

Now

 

[headkaze]

Anybody experienced performance issues between 10.13.1 and 10.13.2?

Spectre and Meltdown patches are in this version.

Spectre is NOT patched in "MacOS High Sierra 10.13.2 Supplemental Update" nor in "macOS High Sierra 10.13.3 Update". The only way to patch it is with a BIOS update that includes CPU microcode update from Intel.

It's easy to test it by compiling and running SpectrePoC and seeing it with your own two eyes. I have both updates and the exploit code still runs and reads memory fine.

Now the only avenue for people who have machines that will not get a manufacturer BIOS update is to do a custom BIOS modification and update (you can see my failed attempt here). The problem is AMI Aptio MMTool v5.0.0.7 does not seem to work patching CPU microcode on Aptio V BIOSes. So until American Megatrends Inc. release an updated MMTool that does work, or you have an Aptio 4 BIOS on your system, you are pretty much SOL for now.. See below for a way to update an Aptio V BIOS using UBU and UEFITool.

 

[headkaze]

Just an update to say I have successfully patched my Aptio V BIOS using the following method:

1. Download UBU_v1_70_a12_DEV (or later) and extract to a folder
2. Download UEFITool 0.22.3 (or later) then extract and copy (and rename to) UEFITool.exe into the same folder
3. Download MMTOOL_v5.0.0.7 then extract and copy (and rename to) MMTool.exe into the same folder
4. Download the latest BIOS for your machine or extract it using (from DOS booted USB drive):

AFUDOS.EXE BIOS.BIN /O

Then copy your BIOS to the same folder as UBU (it can be named anything) as it will be auto detected and renamed to bios.bin.
5. Run UBU_dev.bat

Scanning BIOS. Please wait...
Define BIOS platform
Platform BIOS AMI Aptio 5
Brand Micro-Star International Co., Ltd.
Found EFI Intel GOP Driver GUID A0327FE0-1FDA-4E5B-905D-B510C45A61D0 380B6B4F-1454-41F2-A6D3-61D1333E8CB4
Found EFI Intel Raid Controller GUID 91B4D9C1-141C-4824-8D02-3C298E36EB3F
Found EFI AMI NVMe Driver GUID 634E8DB5-C432-43BE-A653-9CA2922CC458
The system cannot find the file Files\Intel\lan\obacl.txt.
The system cannot find the file Files\Intel\lan\obage.txt.
Found EFI Intel LAN Gigabit Undi GUID DEB917C0-C56A-4860-A05B-BF2F22EBB717

 This BIOS on Aptio 5 platform, known issues:
  - It is not supported by the update files in the GUID A0327FE0-1FDA-4E5B-905D-B510C45A61D0
  - There may be problems with updating the CPU microcode

Press any key to continue . . .

6. Press a key

                      Main Menu
            [Current vesion in BIOS file]
1 - RAID Controller
2 - Video OnBoard
3 - Network
4 - Other SATA Controller
5 - CPU MicroCode
     View/Extract/Search/Update
I - Information
0 - Exit
Press ENTER - Re-Scanning ALL EFI Files\.

Choice:

7. Select '5'

File (1/1): bios.bin

+-------------------------------------------------------------------------------------------------------+
|                                                 Intel                                                 |
+---+-------+-----------------+---------+------------+---------+---------+----------+----------+--------+
| # | CPUID |     Platform    | Version |    Date    | Release |   Size  | Checksum |  Offset  | Latest |
+---+-------+-----------------+---------+------------+---------+---------+----------+----------+--------+
| 1 | 906E9 |    22 [1, 5]    |    48   | 2016-11-15 |   PRD   | 0x17800 | 4761D4C9 | 0x5ACB00 |   No   |
+---+-------+-----------------+---------+------------+---------+---------+----------+----------+--------+
| 2 | 506E3 | 36 [1, 2, 4, 5] |    A6   | 2016-08-21 |   PRD   | 0x17C00 | E951671F | 0x5C4300 |   No   |
+---+-------+-----------------+---------+------------+---------+---------+----------+----------+--------+
| 3 | 506E8 |    22 [1, 5]    |    34   | 2016-07-10 |   PRD   | 0x17800 | 57D53E7A | 0x5DBF00 |  Yes   |
+---+-------+-----------------+---------+------------+---------+---------+----------+----------+--------+
    Microcodes GUID 17088572-377F-44EF-8F4E-B09FFF46A070

        [Update Intel CPU MicroCode]
C - Create FFS with MicroCodes
M - User Select only 1 Microcode File
V - View CPU Microcode MMTool Patch list
        [MCExtractor]
E - Extract all CPU Microcodes
S - Search for available microcode in DB.
0 - Main Menu
Choice:

8. Select 'c'

CPUID 906E9 found.
Files\Intel\mcode\1151\cpu906E9_plat2A_ver00000080_2018-01-04_PRD_6AA1DE93.bin
Checksum correct.
CPUID 506E3 found.
Files\Intel\mcode\1151\cpu506E3_plat36_ver000000C2_2017-11-16_PRD_328B43AF.bin
Checksum correct.
Generate FFS with Microcode

File (1/1): mCode.ffs

+------------------------------------------------------------------------------------------------------+
|                                                Intel                                                 |
+---+-------+-----------------+---------+------------+---------+---------+----------+---------+--------+
| # | CPUID |     Platform    | Version |    Date    | Release |   Size  | Checksum |  Offset | Latest |
+---+-------+-----------------+---------+------------+---------+---------+----------+---------+--------+
| 1 | 906E9 |   2A [1, 3, 5]  |    80   | 2018-01-04 |   PRD   | 0x18000 | 6AA1DE93 |   0x18  |  Yes   |
+---+-------+-----------------+---------+------------+---------+---------+----------+---------+--------+
| 2 | 506E3 | 36 [1, 2, 4, 5] |    C2   | 2017-11-16 |   PRD   | 0x18400 | 328B43AF | 0x18018 |  Yes   |
+---+-------+-----------------+---------+------------+---------+---------+----------+---------+--------+

U - Update Microcode
0 - Cancel
Choice:

9. Select 'u'

MMTool.exe will be launched in a separate command window. If you get the error "Error in replacing File" then click on the window and press enter twice. The command window should close.

The output in UBU should now show:

Remove "Empty" module.
Restore "Empty" module...

If "Error Replacing in file" look _A5Update\mCode.txt

                    Current    New
01 mCode Address - FFFACB00 == FFFACB00
      mCode Size    - 17800
02 mCode Address - FFFC4300 == FFFC4300
      mCode Size    - 17C00
03 mCode Address - FFFDBF00 == FFFDBF00
      mCode Size    - 17800
Press any key to continue . . .

10. Exit out of UBU.

Now open the file _A5Update\mCode.txt

Using UEFITool
Find pattern
728508177F37EF448F4EB09FFF46A070..............F801
or GUID 17088572-377F-44EF-8F4E-B09FFF46A070
File mCode.ffs
"Replace as is"

11. Now launch UEFITool.exe and open your BIOS file (UBU should have renamed it to bios.bin).
12. Select File->Search... and copy/paste the line from mCode.txt (Eg. 728508177F37EF448F4EB09FFF46A070..............F801)

In the "Messages" area it should say something like:

Hex pattern "728508177F37EF448F4EB09FFF46A070..............F801" found as "728508177F37EF448F4EB09FFF46A070DFAA0108286C04F801" in 17088572-377F-44EF-8F4E-B09FFF46A070 at header-offset 0h

13. Double-click on this line should jump to the position in the BIOS file.

14. Right-click on the high-lighted section it jumped to in the BIOS and select "Replace as is..." and select the _A5Update\mCode.ffs file.
15. Select File->Save image file... and save it over bios.bin.
16. Close UEFITool
17. Open bios.bin in MMTool to check the CPU microcode is successfully patched

18. Now you should be able to flash bios.bin using (from DOS booted USB drive):

AFUDOS.EXE BIOS.BIN /GAN

WARNING: Flashing a custom BIOS could result in a non-bootable machine. Do the above at your own risk! Although you may be able to recover a failed AMI BIOS flash:

Rename the BIOS file to AMIBOOT.ROM, put it on a USB thumbdrive, insert into USB port.
Wait at least 15-20 min, or reset the CMOS if at all possible.
Power up and press CTRL + HOME
The BIOS may reflash from the BIOS file on the USB thumbdrive.

 

[moheban79]

Guys noticed you are using Uefitool 22.1 for this and recommend you not use that version! Instead use ver 22.3 as the older version had a serious bug that would cut off the file being replaced and trash your whole firmware volume. I brought it up with the developer and amazingly enough he fixed it on the spot! Great guy!

 

[headkaze]

Instead use ver 22.3 as the older version had a serious bug that would cut off the file being replaced and trash your whole firmware volume.

Thanks for the info! I've updated my tutorial to include this download.