• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 83
  • Last Modified:

Ways to load microcode updates at runtime on windows

I am looking for admins who know a way to update the cpu microcode at runtime to enable windows to use protective measures against spectre 2.

I am aware that apart from having microcode updates delivered by the mainboard or system manufacturers, and apart from waiting for Microsoft to release further versions of their own patches (https://support.microsoft.com/en-us/help/4093836/summary-of-intel-microcode-updates ), some people are using this fling https://labs.vmware.com/flings/vmware-cpu-microcode-update-driver but apparently, even on systems that indicate the microcode got updated successfully and even though the microcode used was the most recent one and intel confirmed its suitability, the powershell cmdlet get-speculationcontrolsettings says, Hardware support for branch target injection mitigation is not present.

So is there another way that you know of?
0
McKnife
Asked:
McKnife
  • 4
  • 2
1 Solution
 
JohnBusiness Consultant (Owner)Commented:
Windows can do some updates, but BIOS updates (what you are talking about) need to be done by the Manufacturer's update routine.

At least right now in 2018, BIOS and Chipset updates need to be done alongside Windows update to protect against the Meltdown threats.
0
 
JohnBusiness Consultant (Owner)Commented:
I should have added in my post above. BIOS updates are only for Host machines (the hardware). Virtual Machines use the host infrastructure and do not need BIOS upgrades on the VM.

Then, as I said above, BIOS updates for Host Machines (hardware) need to be done by the Manufacturer's update routine.
0
 
McKnifeAuthor Commented:
Hi.

That is nothing new to me. Maybe I should clue you in a little more: The discussion over at VMware which took place this year included posts from people who said that that VMware tool (the "fling") helped them to make their CPU usable by the windows patch. There is user akarkkai saying, after using the fling, the output of the powershell cmdlet get-speculationcontrolsettings is "BTIHardwarePresent : True".

That made me believe (at least if we can trust that akarkkai guy), that the fling can use the new intel microcode and make the CPUs ready to use microsoft's patch at runtime. I tried it and could verify that the microcode is indeed changed on test machines here (verified using Sisoft Sandra), but still, the patch is not usable, not even "BTIHardwarePresent : True" appears as it did for others. So the new and patched microcode is loaded, but somehow cannot be recognized by the get-speculationcontrolsettings cmdlet and presumably will not work together with microsoft's patch. This is discussed at length over at VMware. So the question was about that aspect and not about the basics which should be common knowledge for security-aware folks by now.
1
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
McKnifeAuthor Commented:
2 days ago, Microsoft updated their updates (refresh release) and now Haswell as well as Broadwell CPUs are protected against spectre2, which leaves me with some Intel Core gen2 and gen3 architecture oldies... but these will get some updates, too, at least Ivy bridge.
0
 
McKnifeAuthor Commented:
It seems no one but me really cares. Since micfrosoft themselves uses runtime microcode updating, it is surely possible and should have been a way for me to patch older CPUs before microsoft has issued their updates (which, although already tested by intel, seem to be thoroughly tested again by microsoft). Nevermind, I will have to wait.
0
 
McKnifeAuthor Commented:
As outlined: no one here is experienced with it. Since googling reveals the same, the question should be archived for those who ask the same.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now