I found Intel's https://www.intel.com/content/dam/www/public/us/en/documents/sa00115-microcode-update-guidance.pdf document about microcode updates for CPUs vulnerable to Spectre variant 2 and 3a. There is a column described as "OS Update for Q2". What does it mean?
Specifically I want to know if Microsoft is going to release Windows 10 microcode update for Apollo Lake processors.
Q2 means releasing on 2nd quarter like between may 2018 and august 2018
More over intel will release microcode in the form of .bin file , it will be updated vi Linux OS , we normally use microsoft windows , so microcode will be applied through windows update .msu
windows update is a temporary only , but permanent solution will be in the form of BIOS , bios will be released through OEM /
I am having KABY LAKE U processor , I am also expecting new microcode
raju2512. If you have Windows 10 with 1803 update then you can get https://support.microsoft.com/en-us/help/4100347/intel-microcode-updates-for-windows-10-version-1803... KB100347 patch from https://www.catalog.update.microsoft.com/search.aspx?q=4100347 Windows Update Catalog. That will update mcupdate_genuineintel.dll inside Windows 10 that will provide microcode for Kaby Lake U CPU (version 84h) with mitigation for Spectre Variant 2. In the future there probably will be update to the newest 8Eh version (Spectre variant 3a). Even so there isn't any microcode for Apollo Lake CPU there .
I know that Intel https://downloadcenter.intel.com/download/27945/Linux-Processor-Microcode-Data-File?product=87465 provides packages with microcode updates for Linux OS. Inside the newest edition (7/3/2018) there is microcode version 2Ch for Apollo Lake CPUs dated as 3/25/2017. That's not even covering Spectre Variant 2 (version 2Eh). Not to mention Spectre Variant 3a (version 32h).
I don't see these updates as temporary because many computers will never get BIOS updates.
thanks for the information , previous microcode I downloaded from the Microsoft catalog website after released and patched to running windows os. in last month itself .
moreover I have already total 11 windows updates to install.wim ,My customized install.wim fully patched
No one knows the answer for that question? I'm pretty sure that Q2 doesn't mean end of July.
Whole thing with those CPU microcodes doesn't fit to 'Security First' pledge. But what can I know? Right?
In general, Intel is delivering the microcode updates in a timely fashion. Yes, there have been hiccups, but their processes are improving. It is then up to the board manufacturers to integrate these updates into their BIOS releases. If they won't do it, despite the pressure that Intel has been putting on them, then the only answer is for the folks doing the purchasing to apply more pressure. Hitting them in the pocketbook is the only way to change their attitudes. Folks should not purchase boards from manufacturers who will not deliver support for their older boards. The next time you purchase a board from Asus, MSI, Gigabyte, Foxconn, etc., ask them how many years of BIOS support will they provide for this board. If the answer is not a significant number of years, then don't buy their product; it's really that simple.
I agree with the "temporary" categorization regarding the inclusion of microcode updates in O/S releases. Why? Well, only microcode updates applied by the BIOS can address errata that might affect the processor's ability to boot an O/S. When you look at this from a security standpoint and include vulnerabilities to attack vectors (including the many aspects of Spectre), the statement becomes one of the processor's ability to securely boot an O/S. Attacks during the O/S load and O/S initialization processes are certainly possible. Having microcode loaded at the O/S level is thus somewhat akin to closing the gate after the horses have escaped; it simply isn't a complete or "permanent" answer. Only having the microcode applied at the BIOS level will truly allow these attach vectors to be properly closed.
Off my soapbox,
Thanks for answering. Even if I agree to disagree .
Generally I'm baffled why Intel haven't published in timely fashion new version of microcode for all CPUs. I gave an example in my answer to raju2529: "inside the newest edition (7/3/2018) there is a microcode version 2Ch for Apollo Lake CPUs dated as 3/25/2017".
It is irritating for me personally because I suppose that this is a reason why Microsoft didn't incorporate into its update mechanism many microcodes available to OEMs since many month now.
If you don't want to continue discussion you might not answer to this.
Why do I think that BIOS updated isn't feasible solution for microcode update? Because PC older than 2-3 years wont get it. What's more great number of users wont update their PC's BIOS even if it will be prepared for their hardware.
As to Secure Boot. Spectre vulnerability isn't of the exploit type. Even if it would be that then during initial startup CPU should only run signed code. You must break that protection first. AFAIK Spectre and Meltdown doesn't allow that. But rogue BIOS update might.
But in general you are right. Microcodes updates addressing vulnerabilities should be loaded as soon as possible. That mean by a BIOS/EFI.
Intel has a large team that is working on microcode updates. While I have no insights into how this team is operating (I am retired), I would guess that microcode updates are being prioritized by customer impact. Yes, this may mean that there are folks who don't see updates as rapidly as they would like. As for timing, after the original fiasco (my characterization), Intel has taken a stance wherein microcode is not released until it has been fully validated by not only Intel but also by major OEMs and MNCs. What else is there to say? You cannot please everyone -- and there are a lot of pinheads out there that simply do not understand how much work is involved in this process. Intel cannot spin on a dime -- not and deliver as flawless a product as we would like to see.
I stand by my statement. If a board vendor will not provide BIOS updates for security issues for a significantly longer period of time (6 years minimum, but I would prefer it to be 10 years), then they are simply not going to be *MY* board vendor. Frankly, the quality of BIOS product and especially support provided by the big three board vendors (Asus, MSI and Gigabyte) is simply deplorable. As for the major MNCs, I will *NEVER* purchase any Dell's or HP's trash. Look, unless we the customers stand up for ourselves, we are not going to see any change. Wake up, don't let them call the tune!
Please do not interchange the BIOS and UEFI terms. UEFI is nothing but a framework from which a BIOS can be developed.
N.Scott.Pearson, One of my PC is NUC6CAYS with the most resent BIOS (27/6/2018) and it has the newest microcode for Apollo Lake (version 32h). I'm not sure if I'm not a beta tester .
Problem is with my other device with same SoC in which case OEM just doesn't give a damn. I don't want to mention the name because it is some China brand and I should have known better. I bought that miniPC before Intel released such affordable device.
I didn't check every brand but expectation of BIOS update for 6 years old product is rather far fetching. I also have PC with Intel Haswell gen CPU on ASUS motherboard with Z87 chipset. Maybe it will get BIOS update but it didn't seems so month ago when I last checked https://www.asus.com/News/V5urzYAT6myCC1o2 that ASUS's list which in that time didn't even include X99 or Z97 motherboards. Which are about four years old (Q2'14) and these are high-end hardware. Other ASUS motherboards from that time frame and beyond didn't get BIOS update.
As of 8th August there were released all microcodes for Linux. Thank you.
Now we only wait for Microsoft to update their KB4100347 patch.
https://downloadcenter.intel.com/download/28039/Linux-Processor-Microcode-Data-File?product=873 Download Linux* Processor Microcode Data File