[coreboot] lenovo x220, tool to extract binary blobs from BIOS update

diffusae diffusae at yahoo.se
Thu Apr 26 12:17:32 CEST 2018


On 24.04.2018 21:27, Mat wrote:

> I'd like to have system updated against spectre, and other possible vulnerabilities as much as possible.

With the retpoline option in the Linux kernel, it should be usually safe
(see attachment).

"IBPB is considered as a good addition to retpoline for Variant 2
mitigation, but your CPU microcode doesn't support it"

> 1. If I neutralize me.bin, then maybe updating it does not make sense?
>     Otherwise, maybe I could use MEanalyzer + its database to get newest ME, then neutralize it?

Maybe not, don't think that there is a new ME version availabe? Wasn't
it version 9?

>    place where fixes are possible to appear is CPU microcode?

See above. Did you found the matching microcode?

> 3. flashdescriptor.bin - can it contain vulnerabilities? If yes, where to get it from?

I guess, that's only possible, if you fetch it from the flashed vendor bios.

> 4. gbe.bin - the same questions here.

Isn't that the firmware of the gigabit ethernet card? I think so.


-------------- next part --------------
Spectre and Meltdown mitigation detection tool v0.37+

Checking for vulnerabilities on current system
CPU is Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  NO 
    * CPU indicates IBRS capability:  NO 
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  NO 
    * CPU indicates IBPB capability:  NO 
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  NO 
    * CPU indicates STIBP capability:  NO 
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO 
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO 
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO 
  * CPU microcode is known to cause stability problems:  NO  (model 42 stepping 7 ucode 0x29 cpuid 0x206a7)
* CPU vulnerability to the three speculative execution attack variants
  * Vulnerable to Variant 1:  YES 
  * Vulnerable to Variant 2:  YES 
  * Vulnerable to Variant 3:  YES 

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (Mitigation: __user pointer sanitization)
* Kernel has array_index_mask_nospec (x86):  YES  (1 occurrence(s) found of 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch:  NO 
* Kernel has mask_nospec64 (arm):  NO 
> STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (Mitigation: Full generic retpoline)
* Mitigation 1
  * Kernel is compiled with IBRS support:  YES 
    * IBRS enabled and active:  UNKNOWN 
  * Kernel is compiled with IBPB support:  YES 
    * IBPB enabled and active:  NO 
* Mitigation 2
  * Kernel has branch predictor hardening (arm):  NO 
  * Kernel compiled with retpoline option:  YES 
    * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
> STATUS:  NOT VULNERABLE  (Full retpoline is mitigating the vulnerability)
IBPB is considered as a good addition to retpoline for Variant 2 mitigation, but your CPU microcode doesn't support it

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (Mitigation: PTI)
* Kernel supports Page Table Isolation (PTI):  YES 
  * PTI enabled and active:  YES 
  * Reduced performance impact of PTI:  YES  (CPU supports PCID, performance impact of PTI will be reduced)
* Running as a Xen PV DomU:  NO 

A false sense of security is worse than no security at all, see --disclaimer

More information about the coreboot mailing list