Hello,
I'm trying to get my head around all the recent Intel-related vulnerabilities
and bugs and what they mean for the practical usefulness of my not-so-old and
still under warranty motherboards in the role of a secure Debian internet
server.
I have spent quite some time googling for both information about the technical
problems and also what the motherboard manufacturers have done and plan to do
about it.
It seems that many have rolled out BIOS updates for their 100-300 and x99-299
series motherboards (Intel Management Engine (IME), hyperthreading, and Spectre
variant 2).
For older motherboards there is a lot more uncertainty. ASRock (but not
Gigabyte, ASUS, nor MSI) has released H97 / Z97 BIOS updates to Haswell CPU
Microcode revision 24 and Broadwell revision 1D, but no update for IME.
Gigabyte hasn't responded to my support request regarding their plans for
97-series and older motherboards.
I have applied the Linux "microcode updated early" firmware from
stretch-backports (https://wiki.debian.org/Microcode), but that leaves me with
a few questions:
1. Can the latest microcode updates still in stretch-backports be trusted to
run properly by now?
https://newsroom.intel.com/wp-content/uploads/sites/11/2018/04/microcode-update-guidance.pdf
2. What is really the deal with IME on pre 100-series motherboards? According
to the "GIGABYTE Intel ME Critical FW Update Utility" there is "no need" to
update my H97N-WIFI motherboards, but the "Intel-SA-00086 Detection Tool" says
my Windows 7 machine is vulnerable. Some sources claim that certain consumer
motherboards are indeed vulnerable to the IME holes. As far as I understand,
the H97 and Z97 chipsets don't have vPro support (which I suppose means that
AMT is not implemented?), but some motherboards were instead designed with
Intel Small Business Advantage (SBA). For example, the Gigabyte H97N-WIFI /
Z97N-WIFI boards have SBA support, but the ASRock H97E-ITX/ac / Z97E-ITX/ac
don't, but does this mean that the Gigabyte boards are vulnerable but not the
ASRock boards?
https://www.gigabyte.com/Support/Utility/Motherboard#mefw
https://www.intel.com/content/www/us/en/support/articles/25619/software.html
3. Assuming that the H97 / Z97 motherboards with SBA are vulnerable to the IME
hole, what can be done to prevent exploits?
4. Has Microsoft decided only to apply their equivalent of the "microcode
updated early" firmware to the latest version of Windows 10, leaving the still
supported Windows 7 and 8.x with the Spectre 2 security hole?
Grateful for your input.
BR
Niclas