In the meantime I've decided to go in the following direction:
1. install intel microcode onto my ubuntu box
    the result is:
     x220$ $ dmesg | grep microcode
     [    0.000000] microcode: microcode updated early to revision 0x2d, date = 2018-02-07
     [    0.881361] microcode: sig=0x206a7, pf=0x10, revision=0x2d
     [    0.881406] microcode: Microcode Update Driver: v2.2.

     this version is exactly the same as the newest one from CPU microcodes.

2. shrink my current version of  me.bin (year 2011) to 80kb + set disable bit. There are newer me.bin, but I've decided not to use them.
3. update coreboot git repo and build it.

I experience some slight problem with it, but this does not affect qhestion from this thread, tus I'll open a new one.

thank You for the help
regards,



On Thu, Apr 26, 2018 at 12:17 PM, diffusae via coreboot <coreboot@coreboot.org> wrote:
Hi!

On 24.04.2018 21:27, Mat wrote:

> I'd like to have system updated against spectre, and other possible vulnerabilities as much as possible.

With the retpoline option in the Linux kernel, it should be usually safe
(see attachment).

"IBPB is considered as a good addition to retpoline for Variant 2
mitigation, but your CPU microcode doesn't support it"

> 1. If I neutralize me.bin, then maybe updating it does not make sense?
>     Otherwise, maybe I could use MEanalyzer + its database to get newest ME, then neutralize it?

Maybe not, don't think that there is a new ME version availabe? Wasn't
it version 9?

>    place where fixes are possible to appear is CPU microcode?

See above. Did you found the matching microcode?

> 3. flashdescriptor.bin - can it contain vulnerabilities? If yes, where to get it from?

I guess, that's only possible, if you fetch it from the flashed vendor bios.

> 4. gbe.bin - the same questions here.

Isn't that the firmware of the gigabit ethernet card? I think so.

Regards,
Reiner

--

--
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot