<div dir="ltr"><div><div><div><div><div><div><div><div><br><br></div>In the meantime I've decided to go in the following direction:<br></div>1. install intel microcode onto my ubuntu box<br></div> the result is:<br> x220$ $ dmesg | grep microcode<br> [ 0.000000] microcode: microcode updated early to revision 0x2d, date = 2018-02-07<br> [ 0.881361] microcode: sig=0x206a7, pf=0x10, revision=0x2d<br> [ 0.881406] microcode: Microcode Update Driver: v2.2.<br><br></div><div> this version is exactly the same as the newest one from CPU microcodes.<br><br></div>2. shrink my current version of me.bin (year 2011) to 80kb + set disable bit. There are newer me.bin, but I've decided not to use them.<br></div>3. update coreboot git repo and build it.<br><br></div>I experience some slight problem with it, but this does not affect qhestion from this thread, tus I'll open a new one.<br><br></div>thank You for the help<br></div>regards,<br><div><div><div><div><br><div><div><br></div></div></div></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Apr 26, 2018 at 12:17 PM, diffusae via coreboot <span dir="ltr"><<a href="mailto:coreboot@coreboot.org" target="_blank">coreboot@coreboot.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi!<br>
<span class=""><br>
On 24.04.2018 21:27, Mat wrote:<br>
<br>
> I'd like to have system updated against spectre, and other possible vulnerabilities as much as possible.<br>
<br>
</span>With the retpoline option in the Linux kernel, it should be usually safe<br>
(see attachment).<br>
<br>
"IBPB is considered as a good addition to retpoline for Variant 2<br>
mitigation, but your CPU microcode doesn't support it"<br>
<span class=""><br>
> 1. If I neutralize me.bin, then maybe updating it does not make sense?<br>
> Otherwise, maybe I could use MEanalyzer + its database to get newest ME, then neutralize it?<br>
<br>
</span>Maybe not, don't think that there is a new ME version availabe? Wasn't<br>
it version 9?<br>
<span class=""><br>
> place where fixes are possible to appear is CPU microcode?<br>
<br>
</span>See above. Did you found the matching microcode?<br>
<span class=""><br>
> 3. flashdescriptor.bin - can it contain vulnerabilities? If yes, where to get it from?<br>
<br>
</span>I guess, that's only possible, if you fetch it from the flashed vendor bios.<br>
<span class=""><br>
> 4. gbe.bin - the same questions here.<br>
<br>
</span>Isn't that the firmware of the gigabit ethernet card? I think so.<br>
<br>
Regards,<br>
Reiner<br>
<span class="HOEnZb"><font color="#888888"><br>
-- <br>
</font></span><br>-- <br>
coreboot mailing list: <a href="mailto:coreboot@coreboot.org">coreboot@coreboot.org</a><br>
<a href="https://mail.coreboot.org/mailman/listinfo/coreboot" rel="noreferrer" target="_blank">https://mail.coreboot.org/<wbr>mailman/listinfo/coreboot</a><br></blockquote></div><br></div>