Since the beginning of January, it was hard to miss the news regarding Specter and Meltdown hardware vulnerabilities - the topic turned out to be so serious and comprehensive. Although manufacturers have been aware of these problems since last summer, most seem to have only begun to react after the details were made public. Google Teams Project Zero.
For example, back in January, Intel released anti-Specter microcode updates for its Broadwell, Haswell, Skylake, Kaby Lake, and Coffee Lake processors, among other patches. But almost immediately it turned out that they lead to failures and. Initially, Intel stated that the problem only affects Broadwell and Haswell chips, but later admitted the existence of failures on computers with Skylake, Kaby Lake and Coffee Lake processors and partners and users to refrain from installing patches for now. Finally, in early February, a corrected version of the microcode, but only for mobile and desktop consumer chips of the Skylake family.
Now, after a month of intensive testing and patching by Intel and its partners, the time has come for other more or less relevant processors: microcode updates have been released for chips based on the Kaby Lake and Coffee Lake architectures, as well as unaffected previous update Skylake-based platforms. We are talking about processors 6, 7 and 8th Generations of Intel Core i, as well as the latest Core X, Xeon Scalable and Xeon D families.
The new firmware variant will be available in most cases through OEM releases of new motherboard and laptop firmware. Intel still urged people to keep their systems up to date, and also published a white paper outlining the status of similar microcode fixes for its other products, including earlier chips starting with the 45nm Core 2. For some of these chips, patches are only planned, for others they are in a state of early testing, for the third ones they already exist in the form of a beta version. As a rule, the older the architecture, the later it will receive firmware with protection against Specter. However, microcode updates for more or less current Sandy Bridge, Ivy Bridge, Haswell, and Broadwell architectures are already in beta testing. Also, a number of Atom chips and even Xeon Phi accelerators have already received patches.
Intel recalled that there are other methods to combat the discovered vulnerabilities of the branch prediction block in modern processors. For example, Retpoline, developed by Google against Specter CVE-2017-5715 (branch target injection or target injection into a branch). For those who are interested additional information about Retpoline and how it works, the company has published a special technical report.
Released Intel updates microcode against Specter in the coming days and weeks will begin to appear in the form of fresh BIOS firmware for various motherboards. It is curious whether they will have an additional effect on the degradation of the performance of end systems?
Actually, the original method, equipment and microcodes can be found (directly instructions for AMI), and in most cases, using this method does not cause any problems and has no pitfalls, but in my practice I regularly encountered such a problem:
Those. there was a banal shortage free space inside the image. When you modify the BIOS for yourself for a specific processor, you can ignore this, because. You can always load just one microcode specifically for your processor, or delete some old microcode to free up space, but when you modify it with a stream, you need to look for another solution, a compromise.
As a compromise, I chose the following solution - we take the latest versions of microcodes for all processors Generation CORE in all constructs (Celeron E, Pentium E, Core 2 Duo, Core 2 Quad, Xeon *3xxx/*5xxx) and replace them with everything that was before. The set of microcodes is as follows:
The volume of this set is only 76 kilobytes. This file obtained by combining these files:
cpu00010676_plat00000001_ver0000060f_date20100929.bin
cpu00010676_plat00000004_ver0000060f_date20100929.bin
cpu00010676_plat00000010_ver0000060f_date20100929.bin
cpu00010676_plat00000040_ver0000060f_date20100929.bin
cpu00010677_plat00000010_ver0000070a_date20100929.bin
cpu0001067a_plat00000011_ver00000a0b_date20100928.bin
cpu0001067a_plat00000044_ver00000a0b_date20100928.bin
cpu000006f2_plat00000001_ver0000005d_date20101002.bin
cpu000006f6_plat00000001_ver000000d0_date20100930.bin
cpu000006f6_plat00000004_ver000000d2_date20101001.bin
cpu000006f7_plat00000010_ver0000006a_date20101002.bin
cpu000006f7_plat00000040_ver0000006b_date20101002.bin
cpu000006fb_plat00000001_ver000000ba_date20101003.bin
cpu000006fb_plat00000004_ver000000bc_date20101003.bin
cpu000006fb_plat00000010_ver000000ba_date20101003.bin
cpu000006fb_plat00000040_ver000000bc_date20101003.bin
cpu000006fd_plat00000001_ver000000a4_date20101002.bin
The modification procedure itself has also changed a bit and has become, if not easier, then faster:
Step 1- open the BIOS image in the MMTool program: 
Step 2- to check go to last tab(CPU PATCH) and look at the number of microcodes. Here they are, for example, 31 pieces: 
Step 3- go to the Replace tab and look for the “P6 Micro Code” item on it: 
Step 4- having selected the item “P6 Micro Code”, press the Ikshtsyu button, select the ncpucode.bin file described above and replace it with the Replace button: 
Step 5- to check, go to the last tab (CPU PATCH) and look at the number of microcodes. After changing the microcodes, 17 remained, the latest version: 
There is no fundamental difference with the modification order described on delidded.com. In most cases, the output is of course not the same, but the processor receives the desired microcode. From subjective good points I would only like to draw your attention to the fact that microcodes are guaranteed to be updated for all current processors, whether they are “civil” or “server”, and there is practically no risk of receiving a message about lack of space. Although, in my practice, even for such a set of microcodes there was not enough space a couple of times, it was with the BIOS for ECS P4M900T-M and ECS P4M900T-M2 boards, which are generally compatible with the Xeon E5450.
By tradition, I publish a link to the archive with tools - (zip, 234KB). The archive contains an executable file MMTOL.exe(version 3.22 BKMOD), firmware file for all 45/65nm core/xeon processors ncpucode.bin, as well as two files 45nm.bin and 65nm.bin with microcodes only for 45nm processors and only for 65nm. The use of these files can be useful in cases where it is necessary to free up additional space in the BIOS, for example, for new firmware of some controller, network, disk, etc.
!NB: Neither the ncpucode.bin file nor the 45nm.bin/65nm.bin files support Pentium 4, Celeron (without letter indexes), Pentium D, Celeron D and Xeon W processors (Xeon 5080 for example). These are NetBrust generation processors.
Modern processors are complex devices that can have bugs. Furthermore, instead of executing x86 instructions directly, modern x86 processors contain internal code that implements support for the x86 instruction set. The internal code is called microcode. Microcode can be updated to fix or mitigate CPU bugs.
Some CPU bugs can make Firefox crash. For example, Firefox 57 and later is known to occasionally crash on Broadwell-U CPUs with old microcode in a manner not seen with newer Broadwell-U microcode versions.
Microcode updates can be loaded onto the CPU by firmware (usually called BIOS even on computers that technically have UEFI firmware instead of old-style BIOS) or by the operating system. Microcode updates do not persist across reboot, so in the case of a dual-boot system, if the microcode update isn't delivered via BIOS, both operating systems have to provide the update.
On Mac, to have an up-to-date system, apply all OS X system updates and Apple firmware updates offered in the Updates pane of the App Store app.
To allow Windows to load updated microcode onto the CPU, make sure Windows Update is enabled and set to install updates.
To see the processor microarchitecture and which microcode revision is in use, run the command reg query HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 in the Windows command prompt. ( You can open the command prompt by pressing Windows + R , typing cmd and pressing Return .) The line labeled "VendorIdentifier" shows the CPU vendor (GenuineIntel for Intel or AuthenticAMD for AMD). The line labeled "Identifier" gives the microarchitecture as three numbers: "Family", "Model" and "Stepping". These are relevant in identifying if a particular CPU bug may be relevant to the CPU in your computer. The line labeled "Update Revision" shows the current microcode revision (for the particular microarchitecture) with zeros on both sides. For example, Update Revision REG_BINARY 000000001E000000 means that the revision is 1E (hexadecimal). The line labeled "Previous Update Revision" shows the microcode revision loaded from BIOS.
If the vendor is GenuineIntel, family is 6, model is 61 and stepping is 4, to avoid crashes with Firefox 57 or later, the microcode revision needs to be 1A or higher.
Whether microcode updates are in use by default depends on the Linux distribution and can differ for Intel and AMD CPUs.
- On Debian-based distributions, including Ubuntu, microcode updates for Intel processors are provided by the intel-microcode package and microcode updates for AMD processors are provided by the amd64-microcode package.
- On Arch, AMD microcode updates are installed by default, but Intel microcode updates require special steps .
- On Fedora, microcode updates are installed by default.
To see the processor microarchitecture and which microcode revision is in use, run the command less /proc/cpuinfo in terminal. The line labeled "vendor_id" shows the CPU vendor (GenuineIntel for Intel or AuthenticAMD for AMD). The microarchitecture is given as three numbers on lines labeled "cpu family", "model" and "stepping". These are relevant in identifying if a particular CPU bug may be relevant to the CPU in your computer. The line labeled "microcode" shows the microcode revision number (for the particular microarchitecture) in hexadecimal.
You can optimize the performance of your computer's Intel or AMD CPU by installing the latest CPU firmware. Optimization is achieved mainly by correcting errors in the standard microcode received from the firmware of the motherboard.
Your motherboard BIOS/UEFI firmware updates usually contain new firmware versions for supported motherboard central processors. For this reason, the first thing to do is to make sure you are using the latest BIOS/UEFI version.
This guide allows you to optimize the performance of only those CPUs that were developed by Intel and AMD.
Notes:
- Package installation software with microcodes can cause the computer to become unstable. For this reason, you should install this package only when you experience any problems related to the functioning of your computer's CPU!
- Do not install the CPU Firmware Software Package if it is released before the BIOS/UEFI firmware of your computer motherboard!
1. Intel CPUs
In case of using the production CPU by Intel you can proceed as described below.
Note: Do you need an Intel CPU firmware package that is newer than the one in the distribution's official repository? In this case, you can download the software package file with the extension .deb from
Synaptic package manager Software
Synaptic package manager"Search on computer"), enter a query Synaptic Synaptic Package Manager Synaptic package manager "Search" "microcode" and press the button "Search" next to him.
3.201501106.1 (in this case version 3 of the package was created on November 6, 2015).
« intel-microcode" and press the button "Apply"
dmesg | grep microcode
Enter
2. AMD CPUs
When using processors manufactured by AMD this manual will only be relevant for those released after 2006 (AMD K10 and newer). If your computer has one of these CPUs installed, you can proceed as described below.
Note: Do you need an AMD CPU firmware package that is newer than the one in the distribution's official repository? In this case, you can download the software package file with the extension .deb from the Debian distribution repository where the packages are placed latest versions. After downloading the package file, you should find it using the file manager and double-click to install the microcodes into the system. After installation is complete, you must restart your computer.
A. If you are using the Ubuntu distribution, you will need to install Synaptic package manager(this can be done with the app Software). In Linux Mint, this package manager is present immediately after installation.
B. First of all, you should run Synaptic package manager. AT Ubuntu distribution for this purpose, click on the white Ubuntu logo at the top of the sidebar ( "Search on computer"), enter a query Synaptic and select the first of the proposed applications Synaptic Package Manager. No need to use the quick search box for software packages of the main window Synaptic package manager, since the corresponding mechanism is unreliable; instead press the button "Search" on the toolbar, in the search field of the dialog box that opens, enter a query "amd64-microcode" and press the button "Search" next to him.
C. Now you should check the date of creation of the software package with microcodes of the central processing units: this package must be created later than the BIOS / UEFI firmware of your computer motherboard! The creation date of the package in question is reflected in its version number, for example 2.20160316.1 (in this case version 2 of the package was created on March 2, 2016).
D. It's time to check the box next to the name of the software package "amd64-microcode" and press the button "Apply" on the application toolbar.
E. After the installation of the software package is complete, you must restart your computer.
F. After rebooting, it is worth checking if one of the installed microcodes is loaded correctly by typing the following command in a terminal window (use the copy/paste functions to avoid errors):
dmesg | grep microcode
After finishing entering the command, press the key Enter for its execution. If the firmware was successfully loaded, you will see several messages about it.
Would you like to learn about other settings and tricks for working with Linux systems? This website contains a large number of such materials.
If the chipset and the LGA 775 motherboard can theoretically support XEON 771, but the native BIOS does not support it, and there is no modified one, then you can modify the BIOS yourself.
IMPORTANT
1. All changes in BIOS firmware(.ROM file usually) You do at your own risk. In case of an error, a guaranteed “brick” is obtained from the motherboard
2. The file size of the original firmware and the modified version must match up to a byte.
3. Flashing the modified BIOS file back into the microcircuit is performed only using a proprietary utility from the motherboard developer (to be downloaded from the manufacturer's website).
4. In top motherboards, the BIOS itself has a built-in firmware update module (for example, EZ Flash 2 utility for ASUS P5Q in the Tools section) - the best option.
How to do it better:
1. Do you still search the Internet for a ready-made version with XEON support?
2. Download from the official website latest version firmware and add microcodes?
As you can see, the second option is safer; in any case, you download the original firmware from the website of the motherboard manufacturer, i.e. the latest version and the absence of errors are guaranteed (more precisely, the correction of all errors found earlier). When downloading a ready-made version from third-party resources (for obvious reasons, it will not be on the original site) - you can get a crooked version and kill the BIOS.
Preliminarily, you can evaluate the presence of XEON microcodes in the BIOS firmware.
- get the current AMI BIOS image via Universal BIOS Backup ToolKit 2.0
- look at the contents of the received ROM file through AMIBCP V 3.37
Option for BIOS AMI (American Megatrends Inc.).
1. Download the latest version BIOS from your motherboard manufacturer's website
3. Download microcodes for XEON 771 processors: lga771_microcodes
4. Find out the CPUID of your processor using AIDA64 or a similar program (it looks like cpu0001067Ah). If a BIOS will be sewn up before installing the processor, then we skip this item.
5. Unpack the archives MMTool and lga771_microcodes and leave from files with extension .bin only those files whose beginning matches the CPUID of your computer (for example, cpu0001067a_plat00000044_ver00000a0b_date20100928.bin)
If we do not know what code, then we sew everything up.
A. We launch MMTool. Press button (1) Load ROM and load the latest BIOS for your motherboard into the program. If you have the latest BIOS, then you can also merge the BIOS backup utility from the PC and edit it.
b. Go to tab (2) CPU Patch, then button (3) Browse, open the file .bin corresponding to your CPUID.
C. Leave the options as default. "Insert a patch data" and press the button (4) apply.
After updating with a modified bios need to do a factory reset through the reset button or jumpers, if the motherboard supports such a reset, or by pulling out the BIOS battery for a couple of minutes. Further, the processor is already correctly perceived by the computer and works as it should.
Basic Input Output System - basic input / output system, abbreviated as BIOS. small chip on motherboard, which is the first to receive control when the PC is turned on. Provided: basic settings PC check PC components at startup...