Processors
Intel® Processors, Tools, and Utilities
14395 Discussions

what does SA-00086 Intel Detection Tool do ?

JOver1
Beginner
2,420 Views

Can anyone tell me what the SA-00086 Intel Detection tool actually does ?

Does it ?

1) Only test the processor to see if it is one of the many processors on a long listing of processors which are vulnerable to the Meltdown and Specture threats.

2) Show the actual (fixed/mitgated or not fixed/not-mitigated) status of the detected processor to the Meltdown and Spectre threats.

I have been unable to get a clear answer to this question from either my computer manufacturer, Dell, or from Intel.

I have applied all currently available kernel updates to my operating system (Linux Mint) and the detection tool still says that my processor is VULNERABLE.

Thanks.

0 Kudos
11 Replies
GMest
Beginner
1,202 Views

It does test for vulnerabilities found in the Intel Management Engine and is a different/additional security issue to the later published CPU architecture related Spectre or Meltdown vulnerabilities.

0 Kudos
JOver1
Beginner
1,202 Views

Win7ine:

Can you refer me to your source for the different/additional security issues.

I read the bulletin related to SA-00086, and unless I missed it, I saw no references to anything other than Meltdown and Spectre.

If it is for different/additional security issues, is there a detection test which is strictly for the Meltdown and Spectre issues ?

Thanks.

0 Kudos
GMest
Beginner
1,202 Views
0 Kudos
GMest
Beginner
1,202 Views

If you are running Windows, yes there is a MS Powershell Script which will test for Spectre and Meltdown.

Temporarily set PowerShell script execution policy

 

PS> Set-ExecutionPolicy Unrestricted -Scope Process -Force

Install the PowerShell module

 

PS> Install-Module SpeculationControl -Force

Run the PowerShell module to validate protections are enabled

 

PS> Get-SpeculationControlSettings
0 Kudos
JOver1
Beginner
1,202 Views

I am NOT using MS windows.

I am using Linux Mint version 18.3.

Isn't the utility (Linux version) listed on the SA-00086 bulletin supposed to be used to test for the Meltdown and Spectre vulnerabilities ?

According to my best guess reading of the bulletin, what it is referring to are the Meltdown and Spectre vulnerabilities even though it

does not specifically call them by name.

I just got thru applying today's Intel microcode update 3.20180108 thru Linux Mint update manager and after doing so and rebooting

the SA-00086 Linux Intel Detection Tool STILL says that my processor is VULNERABLE. I looked in Driver Manager and yes, the

microcode is showing the 2018 version.

Thanks.

0 Kudos
n_scott_pearson
Super User
1,202 Views

NO!

The SA-00086 bulletin refers to the vulnerability identified in the Intel Management Engine. To address this vulnerability, you will need a BIOS update that provides the new Intel Management Engine firmware.

It is the SA-00088 bulletin that refers to the Meltdown and Spectre vulnerabilities in the processors. To address these vulnerabilities, you need a BIOS update that provides the latest microcode for your processor as well as the latest OS updates for these vulnerabilities.

BIOS updates come from your board manufacturer; they DO NOT come from Intel. Yes, it's true that Linux can also install the latest microcode, but the absolute best place for this to happen is during BIOS POST.

...S

0 Kudos
JOver1
Beginner
1,202 Views

Is there an Intel processor detection tool for SA-00088 ?

I have been to Intel's download site (also Googled it) and searched for SA-00088 processor detection tool and

I find nothing - am I missing it ?

So far, I have not been able to get an answer from Dell as to whether a BIOS will be offered to fix these

problems, does that likely mean that I am going to be up-the-creek-without-a-paddle ? I have the latest

BIOS version A17 - June 2017 vintage already installed. Yes, I know that these are more recently discovered

problems.

I I have applied Linux Mint kernel updates, applied today's Intel microcode update, does this likely mean

that I have the problems mitigated - but how to know for sure if there is no detection tool ?

Thanks.

0 Kudos
n_scott_pearson
Super User
1,202 Views

If there is a tool, you will find it through here: https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html Facts about The New Security Research Findings and Intel Products.

As for BIOS updates, it may take the manufacturers some time to make the updates available. Patience Grasshopper!

...S

0 Kudos
JOver1
Beginner
1,202 Views

Thanks for the link but I had pretty much went over that one and I can see no info

regarding a detection tool there.

And had already read the computer listing and particular Dell model's listing and if

that is a comprehensive listing, then it is like I have suggested that I (and many others)

are going to be SOL.

It would really be nice if Intel could plainly post a detection tool for these problems so

they one would not have to search all over creation to try to find it.

Bad thing is that there is possibility that applying the Linux kernel updates and the

microcode update MAY have fixed the problems but with no way to know for sure

suppose I will just have to cross my fingers and hope that hackers are so busy with

other things that they don't have time to fool with my little old computer.

Dell has already sort of indicated to me that they have no real great concerns as

to if, when or whether a BIOS is offered to fix this for a Dell Optiplex model 980, if

you do not purchase a new computer from these companies ever year or two, it is

no skin off their teeth, quite to the contrary this may be just more money in their

pockets a year or two from now when computer sales go up. I know that MS$

users may need to purchase a new computer every year or so but that is not

true for Linux users.

I will keep looking for Intel detection tool but at this point I have very little confidence

that I am going to find one.

Thanks.

0 Kudos
JOver1
Beginner
1,202 Views

Well, I think I finally found it. Boy, that was like hunting hen's teeth !!!

However, it does not appear to me that it has much relationship to Intel.

Found it at this link due to a post that someone made on Linux Mint forums:

https://github.com/speed47/spectre-meltdown-checker/blob/master/README.md spectre-meltdown-checker/README.md at master · speed47/spectre-meltdown-checker · GitHub

It says that my Meltdown has been mitigated but that the Spectre is still a problem. Which is exactly

what someone had suggested on Linux Mint forums earlier.

Hope the other owners of old no longer under warranty systems might happen to find this post

because both Intel and Dell were of zero help in finding this.

Now to wait for a fix for Spectre.

Thanks.

0 Kudos
JOver1
Beginner
1,202 Views

Now back to work.

Now that the Meltdown and Spectre are solved or at least partly so, need to find out

what to do about vulnerability revealed by Intel detection tool for SA-00086 - Intel Management

Engine.

Is the problem with Intel Management Engine the fact that the version of this needs to be

updated, i.e. a BIOS update or is it a problem with the way the IME is currently configured or is the

problem that the IME just needs to be DISABLED instead of being enabled ?

Also, am I understanding correctly that the purpose of this IME is used by system administrators

to allow themselves to remotely control the client machines on the network ?

Thanks.

0 Kudos
Reply