Re: [coreboot] Does the Core2Quad Mobile Q9100 require microcode updates?

[taii...@gmx.com]

On 01/09/2017 05:28 PM, Nico Huber wrote:


These are all good reasons not to buy a CPU that requires black-box
updates. But not against applying the update if you have such a CPU.

Nico
Of course, which is why I warned the thread parent earlier in the email 
chain.


It seems a lot of people fail to appreciate the difference between works 
and works securely (aka without any significant errata).



I bought a 62xx opteron instead of a 63xx opteron because it works 
securely without microcode (according to various sources), unfortunately 
I am unemployed or I would get a 7K POWER system (and pay for firmware 
development) - I personally believe that cheap CPU's have ruined the 
internet "eternal september".


If anyone can give me one I would appreciate a coreboot wiki editor 
account so that I can note that as like others said it isn't made clear 
enough (and make a few other changes such as a supported features table 
and faq for the motherboards I have)


--
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Does the Core2Quad Mobile Q9100 require microcode updates?

[ron minnich]

On Mon, Jan 9, 2017 at 2:09 PM taii...@gmx.com  wrote:

> Reasons to hate microcode updates:
> * They enable companies to ship broken CPU's and fix them later thus a
> CPU undergoes less testing (remember when software/games didn't have and
> worked fine without a day one patch?)
>

that's actually not a very good reason. Companies ship broken hardware all
the time. A company that has a microcode machine would be irresponsible
were they not to allow the option of an update. Further, hardware is 
hard. It's simply not possible to catch every possible bug before it ships.


True story: when the Y came out, vendor abc used a Y-1 to check its
floating point calculations. The machines were to stop when a difference in
computations was found. The machines stopped. The Y-1 had a bug that the
newer machine found.

Why did I not use names? Because I've heard this story from architects at
just about every computer company. Hardware has bugs. Microcode fixes can
work around the bugs. So it makes sense to take advantage of that.

* Theoretically a nation state actor could screw around with a CPU and
> have an internal microcode update to secure their own systems, or
> something else like that.
>

All kinds of things are possible in theory, but it seems to me you're
making an argument against microcode, not microcode updates.


> * It is a black box (at least with intel) that is just another step of
> the war on general purpose computing-  the tivoization of hardware.
>
>
This is pretty much the same argument. If you don't like the CPUs you are
using, get different ones.

Given the use of a machine that has microcode, I don't think the opposition
to microcode updates makes any sense at all. You're far more likely to be
harmed by bugs in microcode than problems in a microcode update.
-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Does the Core2Quad Mobile Q9100 require microcode updates?

[Timothy Pearson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/09/2017 04:28 PM, Nico Huber wrote:
> On 09.01.2017 23:07, taii...@gmx.com wrote:
>> Reasons to hate microcode updates:
>> * They enable companies to ship broken CPU's and fix them later thus a
>> CPU undergoes less testing (remember when software/games didn't have and
>> worked fine without a day one patch?)
> 
> Well, I remember when a x86 CPU alone cost $1k. You should stop buying
> x86 if it's too cheap for your taste.
> 
>> * Theoretically a nation state actor could screw around with a CPU and
>> have an internal microcode update to secure their own systems, or
>> something else like that.
> 
> They can have that much more easier by flipping a secret bit somewhere.
> 
>> * It is a black box (at least with intel) that is just another step of
>> the war on general purpose computing-  the tivoization of hardware.
>>
> 
> Might be, but that's not how it started / why we have microcode updates.
> 
> These are all good reasons not to buy a CPU that requires black-box
> updates. But not against applying the update if you have such a CPU.

Very well stated.  You could purchase a POWER CPU right now that
wouldn't require signed microcode, for instance, or an ARM64 CPU that
doesn't need microcode at all, but if you keep purchasing cheap x86 CPUs
this is what you get.  Not applying the manufacturer's microcode updates
(which are still mostly horizontal microcode, basically logic level
switches and some basic microprograms) only hurts security on such devices.

- -- 
Timothy Pearson
Raptor Engineering
+1 (415) 727-8645 (direct line)
+1 (512) 690-0200 (switchboard)
https://www.raptorengineering.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJYdBD7AAoJEK+E3vEXDOFbtY4H/3wxLIlWNIQg7Ar1vgooPtsG
zX0+FcW7/Z4PZejuxrEnXwL3elf41qufuE7k6Ce3fVoBY0Ls61MZx6p1QuhIWj4Q
5w7gvt00srQg4Hw8KYfKjWbNL2txObiwwzYVVoTbsdhrPlLLS9DUByvcET/3grLB
KBvKWatJV24IqJh9Uhf25b5wlpXwfbAqdGOJSOTVOlGRRs0nJ4uv2VOEFjFUeI2M
qXXVcKy1dBoSRDsmEwNFOTJFb8QpOsUeTeiywSe7D9+MceFU6GYA/3zLkKTu5g3y
0xlvHacAtBqN7T7VTSXFL4e0wj4t78i6oQlb8BUesYDx//cBfDvZJVtf4veGyi4=
=NZcn
-END PGP SIGNATURE-

-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Does the Core2Quad Mobile Q9100 require microcode updates?

[Nico Huber]

On 09.01.2017 23:07, taii...@gmx.com wrote:
> Reasons to hate microcode updates:
> * They enable companies to ship broken CPU's and fix them later thus a
> CPU undergoes less testing (remember when software/games didn't have and
> worked fine without a day one patch?)

Well, I remember when a x86 CPU alone cost $1k. You should stop buying
x86 if it's too cheap for your taste.

> * Theoretically a nation state actor could screw around with a CPU and
> have an internal microcode update to secure their own systems, or
> something else like that.

They can have that much more easier by flipping a secret bit somewhere.

> * It is a black box (at least with intel) that is just another step of
> the war on general purpose computing-  the tivoization of hardware.
> 

Might be, but that's not how it started / why we have microcode updates.

These are all good reasons not to buy a CPU that requires black-box
updates. But not against applying the update if you have such a CPU.

Nico


-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Does the Core2Quad Mobile Q9100 require microcode updates?

[taii...@gmx.com]

Reasons to hate microcode updates:
* They enable companies to ship broken CPU's and fix them later thus a 
CPU undergoes less testing (remember when software/games didn't have and 
worked fine without a day one patch?)
* Theoretically a nation state actor could screw around with a CPU and 
have an internal microcode update to secure their own systems, or 
something else like that.
* It is a black box (at least with intel) that is just another step of 
the war on general purpose computing-  the tivoization of hardware.


--
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Does the Core2Quad Mobile Q9100 require microcode updates?

[Rudolf Marek]

Hi Timothy,

Many thanks for pointing this out! We should put this somewhere to Wiki, in
VERY LARGE letters as over the years I'm also very sensitive to all the people
not liking to do their microcode update.

I always failed to explain that microcode is not a program (despite the "code"
in the word). I concluded that people are preventing doing the microcode
update because of religious reasons as I failed to identify any other reason.
I also do think that if one trusts the CPU one should also trust the update,
otherwise it makes more sense to go for RISC-V CPU in FPGA approach.

Thanks
Rudolf




-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Does the Core2Quad Mobile Q9100 require microcode updates?

[ron minnich]

On Mon, Jan 9, 2017 at 9:58 AM Daniel Kulesz 
wrote:

> Hi,
>
> thank you for the hints. Actually, I am a bit puzzled why some of you
> misinterpreted my message as a claim or even a "proof".
>

I understand, but be aware that people tend to take such statements in the
form of "I have not seen a problem yet" as meaning "microcode updates are
not needed." I've seen this type of interpretation for several years now so
have gotten sensitive to it. :-)

ron
-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Does the Core2Quad Mobile Q9100 require microcode updates?

[Timothy Pearson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/09/2017 11:58 AM, Daniel Kulesz wrote:
> Hi,
> 
> thank you for the hints. Actually, I am a bit puzzled why some of you 
> misinterpreted my message as a claim or even a "proof". Since I haven't seen 
> (m)any reports about running Coreboot with a Core2Quad Mobile w/o microcode 
> updates (The Libreboot docs even state that these CPUs are incompatible), I 
> only wanted to report that for me it seems not to crash badly on booting or 
> compiling. No more than that.
> 
> Cheers, Daniel

No problem, and thanks for the data point.  I just wanted to chime in so
that others are aware that on certain CPUs there are hidden risks to not
using update microcode; when making the decision to avoid microcode the
errata documentation for the specific processor in use needs to be
carefully analyzed for the intended use case to avoid an even less
secure setup than just using fully proprietary firmware.

- -- 
Timothy Pearson
Raptor Engineering
+1 (415) 727-8645 (direct line)
+1 (512) 690-0200 (switchboard)
https://www.raptorengineering.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJYc8+pAAoJEK+E3vEXDOFbG+IIAJwl731kz6cQUO4kGjqMEmjB
Yn41BwG9jczx5EuvsgUNF5ngtQxd47c6TYDSHsYNARsaxRiiQfJVEd7SE3VHktEf
ROMAPQzPcMvSNzPcEqkE8wqiOeSETtsOZ7nCfReINkd86ECgg4TNoj/2afXCe1y7
C0EMnm11HNauwvIOyjzCHpHDF78HT26CMx/nc5rGRwgKfrZIriIdLSuJKN81b7Uq
z7RRvkhlbbj0pyKY2JRh233ACOg7Cd6hWyW0M+7j4dVT13NWG0NI6lPOr8pFbttU
/21S9qodiMlJD7fBm8/zCPMbR0SsbnufzNBAc53gcjBOYLiSC2IFc7nz2hJLg8s=
=UO0Y
-END PGP SIGNATURE-

-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Does the Core2Quad Mobile Q9100 require microcode updates?

[Daniel Kulesz via coreboot]

Hi,

thank you for the hints. Actually, I am a bit puzzled why some of you 
misinterpreted my message as a claim or even a "proof". Since I haven't seen 
(m)any reports about running Coreboot with a Core2Quad Mobile w/o microcode 
updates (The Libreboot docs even state that these CPUs are incompatible), I 
only wanted to report that for me it seems not to crash badly on booting or 
compiling. No more than that.

Cheers, Daniel


[1] https://libreboot.org/docs/install/t500_external.html#cpu_compatibility


On Mon, 09 Jan 2017 11:40:33 -0600
Timothy Pearson  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> On 01/09/2017 11:36 AM, ron minnich wrote:
> > 
> > 
> > On Mon, Jan 9, 2017 at 8:23 AM taii...@gmx.com 
> > > wrote:
> > 
> > On 01/08/2017 06:50 PM, Daniel Kulesz via coreboot wrote:
> > 
> > > Hi,
> > >
> > > for the record: I had the Q9000 (not Q9100) running in my Thinkpad
> > T500 for a few weeks now without microcode updates and did not
> > encounter any issues so far.
> > 
> > 
> > absence of proof is not proof of absence. 
> > 
> 
> I would personally be very wary of running Intel CPUs without microcode
> updates.  Intel relies heavily on that "patch after ship" feature to
> iron out serious bugs (i.e. privilege escalation) in their hardware.
> 
> - -- 
> Timothy Pearson
> Raptor Engineering
> +1 (415) 727-8645 (direct line)
> +1 (512) 690-0200 (switchboard)
> https://www.raptorengineering.com
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iQEcBAEBAgAGBQJYc8sOAAoJEK+E3vEXDOFb/YwH/AqhMYlwtUsEAOVAg1dRmGss
> wld98lITvh9gRv2vDPUxNrA8S2rhV8gE6OyQLn8EskyTRMNl8Wts9HR9gVBgPDO2
> +mk6CQTVbWy7CBT4MZmGsJfx61KT+5valJCvH63RVciLPIY4v97w2KVPn1FE7IqN
> AlCPBZDuxvVvBbRFKepygb9v75Nse6yGt1f7DHdwasAOnKGxEr+kSqMDjCNIM7D7
> p4Sh5u8WzBT/3+fYm4jViskZrPhKdlo6LLQcggrlurPeAItvccm3acULGkE2FeRD
> +R/Y984vIaS+qlGfkh+Es8Xo4xbeXDJQzIruifN4unOD295txwsFdJ/muSXYpsk=
> =eXl1
> -END PGP SIGNATURE-



-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Does the Core2Quad Mobile Q9100 require microcode updates?

[Timothy Pearson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/09/2017 11:36 AM, ron minnich wrote:
> 
> 
> On Mon, Jan 9, 2017 at 8:23 AM taii...@gmx.com 
> > wrote:
> 
> On 01/08/2017 06:50 PM, Daniel Kulesz via coreboot wrote:
> 
> > Hi,
> >
> > for the record: I had the Q9000 (not Q9100) running in my Thinkpad
> T500 for a few weeks now without microcode updates and did not
> encounter any issues so far.
> 
> 
> absence of proof is not proof of absence. 
> 

I would personally be very wary of running Intel CPUs without microcode
updates.  Intel relies heavily on that "patch after ship" feature to
iron out serious bugs (i.e. privilege escalation) in their hardware.

- -- 
Timothy Pearson
Raptor Engineering
+1 (415) 727-8645 (direct line)
+1 (512) 690-0200 (switchboard)
https://www.raptorengineering.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJYc8sOAAoJEK+E3vEXDOFb/YwH/AqhMYlwtUsEAOVAg1dRmGss
wld98lITvh9gRv2vDPUxNrA8S2rhV8gE6OyQLn8EskyTRMNl8Wts9HR9gVBgPDO2
+mk6CQTVbWy7CBT4MZmGsJfx61KT+5valJCvH63RVciLPIY4v97w2KVPn1FE7IqN
AlCPBZDuxvVvBbRFKepygb9v75Nse6yGt1f7DHdwasAOnKGxEr+kSqMDjCNIM7D7
p4Sh5u8WzBT/3+fYm4jViskZrPhKdlo6LLQcggrlurPeAItvccm3acULGkE2FeRD
+R/Y984vIaS+qlGfkh+Es8Xo4xbeXDJQzIruifN4unOD295txwsFdJ/muSXYpsk=
=eXl1
-END PGP SIGNATURE-

-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Does the Core2Quad Mobile Q9100 require microcode updates?

[ron minnich]

On Mon, Jan 9, 2017 at 8:23 AM taii...@gmx.com  wrote:

On 01/08/2017 06:50 PM, Daniel Kulesz via coreboot wrote:

> Hi,
>
> for the record: I had the Q9000 (not Q9100) running in my Thinkpad T500
for a few weeks now without microcode updates and did not encounter any
issues so far.


absence of proof is not proof of absence.
-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Does the Core2Quad Mobile Q9100 require microcode updates?

[taii...@gmx.com]

On 01/08/2017 06:50 PM, Daniel Kulesz via coreboot wrote:


Hi,

for the record: I had the Q9000 (not Q9100) running in my Thinkpad T500 for a 
few weeks now without microcode updates and did not encounter any issues so far.

Cheers, Daniel


On Sat, 12 Nov 2016 12:25:18 -0500
"taii...@gmx.com"  wrote:


It varies as per CPU revision, some have newer/older onboard microcode
than others.

You won't know until you try it, or someone else with the exact same cpu
model/revision posts back (might take a long time)

I would check the errata spec sheet to see if there is anything bad that
is addressed by later microcode updates post-your cpus onboard version.
On 11/12/2016 07:12 AM, Daniel Kulesz via coreboot wrote:

Hi,

I am considering upgrading my Coreboot'ing Thinkpad T500 with a Core2Quad 
Mobile Q9100 [1] (which requires some hardware modifications but is doable). My 
question is: Does this CPU require the microcode updates or will it run 
without? Practical experience from someone running this or a simular CPU from 
the same family (Q9000, Q9300) would be appreciated!

Cheers, Daniel

[1] 
http://ark.intel.com/products/37033/Intel-Core2-Quad-Processor-Q9100-12M-Cache-2_26-GHz-1066-MHz-FSB

Just because you appear to have no problems doesn't mean they aren't 
there, see the opteron 63xx microcode bug from a year ago that allowed 
programs to obtain root.


--
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] Does the Core2Quad Mobile Q9100 require microcode updates?

[Daniel Kulesz via coreboot]

Hi,

for the record: I had the Q9000 (not Q9100) running in my Thinkpad T500 for a 
few weeks now without microcode updates and did not encounter any issues so far.

Cheers, Daniel


On Sat, 12 Nov 2016 12:25:18 -0500
"taii...@gmx.com"  wrote:

> It varies as per CPU revision, some have newer/older onboard microcode 
> than others.
> 
> You won't know until you try it, or someone else with the exact same cpu 
> model/revision posts back (might take a long time)
> 
> I would check the errata spec sheet to see if there is anything bad that 
> is addressed by later microcode updates post-your cpus onboard version.
> On 11/12/2016 07:12 AM, Daniel Kulesz via coreboot wrote:
> > Hi,
> >
> > I am considering upgrading my Coreboot'ing Thinkpad T500 with a Core2Quad 
> > Mobile Q9100 [1] (which requires some hardware modifications but is 
> > doable). My question is: Does this CPU require the microcode updates or 
> > will it run without? Practical experience from someone running this or a 
> > simular CPU from the same family (Q9000, Q9300) would be appreciated!
> >
> > Cheers, Daniel
> >
> > [1] 
> > http://ark.intel.com/products/37033/Intel-Core2-Quad-Processor-Q9100-12M-Cache-2_26-GHz-1066-MHz-FSB
> >
> 

-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot

[coreboot] Does the Core2Quad Mobile Q9100 require microcode updates?

[Daniel Kulesz via coreboot]

Hi,

I am considering upgrading my Coreboot'ing Thinkpad T500 with a Core2Quad 
Mobile Q9100 [1] (which requires some hardware modifications but is doable). My 
question is: Does this CPU require the microcode updates or will it run 
without? Practical experience from someone running this or a simular CPU from 
the same family (Q9000, Q9300) would be appreciated!

Cheers, Daniel

[1] 
http://ark.intel.com/products/37033/Intel-Core2-Quad-Processor-Q9100-12M-Cache-2_26-GHz-1066-MHz-FSB

-- 
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot