Re: Status of Intel-related vulnerabilities and bugs?

[Henrique de Moraes Holschuh]

On Tue, 10 Apr 2018, Niclas Arndt wrote:
> 1. Can the latest microcode updates still in stretch-backports be
> trusted to run properly by now?
> https://newsroom.intel.com/wp-content/uploads/sites/11/2018/04/microcode-update-guidance.pdf

Yes, these microcode updates are stable.

The same might or might not be true for your kernel when it activates
the new codepaths to support IBPB and IBRS (the new functionality added
by the Spectre-related microcode updates), though.  This is the reason
we are waiting for at least one extra month yet before we push them to
Debian stable and oldstable.

If the kernel malfunctions on the new microcode, boot with "noibpb"
and/or "noibrs" to disable the new codepaths.

-- 
  Henrique Holschuh

Status of Intel-related vulnerabilities and bugs?

[Niclas Arndt]

Hello,

I'm trying to get my head around all the recent Intel-related vulnerabilities 
and bugs and what they mean for the practical usefulness of my not-so-old and 
still under warranty motherboards in the role of a secure Debian internet 
server.

I have spent quite some time googling for both information about the technical 
problems and also what the motherboard manufacturers have done and plan to do 
about it.

It seems that many have rolled out BIOS updates for their 100-300 and x99-299 
series motherboards (Intel Management Engine (IME), hyperthreading, and Spectre 
variant 2).

For older motherboards there is a lot more uncertainty. ASRock (but not 
Gigabyte, ASUS, nor MSI) has released H97 / Z97 BIOS updates to Haswell CPU 
Microcode revision 24 and Broadwell revision 1D, but no update for IME. 
Gigabyte hasn't responded to my support request regarding their plans for 
97-series and older motherboards.

I have applied the Linux "microcode updated early" firmware from 
stretch-backports (https://wiki.debian.org/Microcode), but that leaves me with 
a few questions:

1. Can the latest microcode updates still in stretch-backports be trusted to 
run properly by now?
https://newsroom.intel.com/wp-content/uploads/sites/11/2018/04/microcode-update-guidance.pdf

2. What is really the deal with IME on pre 100-series motherboards? According 
to the "GIGABYTE Intel ME Critical FW Update Utility" there is "no need" to 
update my H97N-WIFI motherboards, but the "Intel-SA-00086 Detection Tool" says 
my Windows 7 machine is vulnerable. Some sources claim that certain consumer 
motherboards are indeed vulnerable to the IME holes. As far as I understand, 
the H97 and Z97 chipsets don't have vPro support (which I suppose means that 
AMT is not implemented?), but some motherboards were instead designed with 
Intel Small Business Advantage (SBA). For example, the Gigabyte H97N-WIFI / 
Z97N-WIFI boards have SBA support, but the ASRock H97E-ITX/ac / Z97E-ITX/ac 
don't, but does this mean that the Gigabyte boards are vulnerable but not the 
ASRock boards?
https://www.gigabyte.com/Support/Utility/Motherboard#mefw
https://www.intel.com/content/www/us/en/support/articles/25619/software.html

3. Assuming that the H97 / Z97 motherboards with SBA are vulnerable to the IME 
hole, what can be done to prevent exploits?

4. Has Microsoft decided only to apply their equivalent of the "microcode 
updated early" firmware to the latest version of Windows 10, leaving the still 
supported Windows 7 and 8.x with the Spectre 2 security hole?

Grateful for your input.

BR

Niclas