Spectre security updates in AMD BIOSes?

I have some questions about security updates in the latest BIOS releases from ASRock on AMD platform based motherboards containing the newest PinnaclePI-AM4_1.0.0.1a AGESA.

To begin with,

since January 11, 2018, AMD said that "will make optional microcode updates available to its customers and partners for Ryzen and EPYC processors" for the Spectre Variant 2 vulnerability.

An article also from BleepingComputer.com said at January 15, 2018 that "Intel, AMD, and other CPU manufacturers have started releasing CPU microcode (firmware) updates for processor models affected by the Meltdown and Spectre patches, those updates are trickling down to OEMs and motherboard vendors, who are now integrating these patches into BIOS/UEFI updates for affected PCs."

My system is composed of an ASRock AB350 Pro4 motherboard paired with an AMD Ryzen 5 1600 CPU and G.Skill Flare X 16GB (2x8GB) DDR4-2400MHz RAM. My current version of BIOS is 4.60, released from ASRock at January 26, 2018. The next (and the latest) BIOS from ASRock is 4.70 which released some days before, at March 6, 2018 and includes the PinnaclePI-AM4_1.0.0.1a AGESA from AMD.

So, my questions are:

1) Does AMD released any security microcode update since the announcement at January 11, 2018 or NOT yet?

2) Does the latest AGESA PinnaclePI-AM4_1.0.0.1a includes any kind of security update against Spectre?

3) Does ASRock embedded any security microcode updates in its AMD motherboard BIOSes since AMD's announcement at January 11, 2018 or NOT?

I also want to note that ASRock has a specially designed microsite for Intel platforms that informs users extensively about the Spectre and Meltdown security updates in it's BIOSes, but has not anything informative about AMD platforms concerning security... (Or it has but I didn't notice it?)

I ask you these questions to understand how safe I am with ASRock and AMD and if I must update my BIOS to the latest version to obtain the latest security microcode fixes.

SoniC thank you for your reply, I will try to answer you in detail.

SoniC wrote: AMD is not vulnerable (or almost impossible to use level of vulnerable) to the security holes that require physical updates to BIOS / microcode updates.

Do you rely your statement somewhere (e.g. on a specific research)? Can you posted it please here?

However, despite of what you write, the AMD itself writes in its official announcement clearly that:

Google Project Zero (GPZ) Variant 1 (Bounds Check Bypass or Spectre) is applicable to AMD processors.

GPZ Variant 2 (Branch Target Injection or Spectre) is applicable to AMD processors.

GPZ Variant 3 (Rogue Data Cache Load or Meltdown) is not applicable to AMD processors.

Thus, the AMD processors ARE vulnerable since Spectre (Variant 1 & 2) is applicable to them...

SoniC wrote: They release it as optional to those wearing tinfoil hats.

I would not label someone who cares for his/her security on his/her system as someone "who wearing tinfoil hat"... There is more than irony of the phrase here... There are malware out there (like spyware, trojan horses, e.t.c.) - even (script-infected) web pages - that would take advantage of this exploit to steal your credentials or your personal files. And if these credentials are for example for your e-banking system or for your credit cards, then you are going to have a huge problem in your life after that...

If we were thinking like this in the IT space, then it would not be necessary to have - lets say for example - strengthened versions of the AES algorithm of 192 bits or 256bits, we would have remained in the 128bits. Same way, it would not be necessary to move from the SSL encryption protocol to the TLS for our web communications...

SoniC wrote: Even Linus Torvald felt confident enough to not enable the fixes on AMD hardware in the kernel patches. So yeah... I believe him.

Linus Torvalds is a formidable person in the Informatics and Software Engineering domains. I admire him and I respect him as a developer I am (plus his opinions) in these domains. But in this case I think you have misunderstood his (and his colleagues) words a bit!!

He (or his colleagues) never said the phrase you wrote it!! Tom Lendacky from AMD said approximately something what you wrote in an e-mail in the Linux Kernel Mailing List in December 26, 2017 and Linus Torvalds accepted that in a Release Candidate of the 4.15 Linux kernel.

But what Tom Lendacky said?

"AMD processors are not subject to the types of attacks that the kernel
page table isolation feature protects against. The AMD microarchitecture
does not allow memory references, including speculative references, that
access higher privileged data when running in a lesser privileged mode
when that access would result in a page fault."

He speaks only for PTI! Which is a feature that mitigates only the Meltdown vulnerability! Not Spectre!!

If I'm not wrong, neither Tom Lendacky nor Linus Torvalds ever said (or agreed) that Spectre is not applicable to AMD processors, so to not enable the fixes in the kernel patches... But if I am wrong in this, please post me a URL of an official statement of someone (or both) of these people.


EDIT: Due to a bug on the parser of the "Insert Hyperlink" function of this forum (on "?" symbol), I write the correct URL of the Release Candidate article straight here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=00a5ae218d57741088068799b810416ac249a9ce

--

But I think we were going out of subject of the post I made... Linux and its patches is not my subject.

My questions are very simple and clear written!


Edited by MinimalTech - 17 Mar 2018 at 8:33pm

Spectre has been around for years, and was though of such little consequence that is was not worth a mention. Someone would have to be able to physically access your motherboard to even attempt to do anything with it, plus in all the time it has been known about there is not one instance of it being acted upon. Yes it has a shiny new version, but how many exploits?  Only code found "out there" is proof of concept stuff, not rogue exploits.
It only hit the noisy news when Intel needed a distraction from its own more serious ( and actual)  meltathon and proceeded to cripple its server based customers systems. So it shouted loudly that AMD was just as bad, ask them about Spectre!   Corporate infantilisim at its best.
I am aware of spectre . Do I care about whether I am vulnerable to it? Not a jot.
You are fretting over something you need not fret about.

At first sorry for my delayed response (and for any other possible delayed responses in the future), but due to my job I don't have the leisure to respond fast.

Again, I will note that we are getting away of the subject of this thread...! I asked 3 simple questions and all I want is 3 simple answers from ASRock!!

But I will answer to your post (@stree) because I mostly disagree with your opinion.

stree wrote: Someone would have to be able to physically access your motherboard to even attempt to do anything with it

I don't exactly understand what do you mean with the phrase "physically access your motherboard"...

Assuming that with this phrase you don't mean that someone (as a person) has to be in front of the machine with a screwdriver (or any other hand-tool/device) to be able to attempt anything malicious to the motherboard (like to run Spectre code), I have to answer that:

a) the CPU is the module that cares us, not the motherboard,

b) if a programmer develop a malware (virus, trojan, spyware, etc.) and this malware penetrate to a vulnerable-processor system (like PC, Laptop, Tablet, Smartphone) then the malware HAS physical access to the CPU. Just simple. All it has to do this malware is to run a "malicious" algorithm/code and then read the private data. It will act like a program which has been executed manually from the Logged-In user in the system.

and

c) even more simple, a programmer can develop a script in JavaScript and put it - let's say - in an advertisement pop-up window -or- in a main website page and this script will do its job (steal private data from the machine) easily and silently.

With the second implementation the malicious script can still run even if a user has an updated AV program installed... (It is extremely difficult to catch a malicious script)...

stree wrote: Only code found "out there" is proof of concept stuff, not rogue exploits

First of all you don't know if "out there" a rogue exploit already exists until you or a known person of you catch this to your/its machine and to steal your/its private data. There are millions of devices with Intel, AMD and ARM processors connected to the internet, I am assuming that you haven't check every single one of those devices to see if they have been breached and to know that out there there are not rogue exploits...

Secondly, the Proof-of-Concept code you are referring on is the thing that makes the situation much more easy than it should be for a malicious programmer!! Even a moderate-knowledged programmer can develop a malware with Spectre and Meltdown by just COPY and PASTE the code of the proof-of-concept from Google... Don't tell me that you didn't think about it ever...

stree wrote: So it shouted loudly that AMD was just as bad, ask them about Spectre!   Corporate infantilisim at its best.

Maybe you are right in this but I don't care. I am not here to argue for AMD or for Intel companies. I do care only and I am here only as a user for understanding how ASRock cares for its (AMD) clients and if it has released any security microcode updates (in cooperation with AMD) in their BIOSes.

But, once you think that AMD is safe and this is just "Corporate infantilisim", what do you think about this research from the CTS-Labs??

The research reveals that instead of

Spectre Variant 1 and
Spectre Variant 2

the AMD (and only the AMD) is also vulnerable in

Ryzenfall
Masterkey
Fallout
Chimera

vulnerabilities...

Do you still have the same opinion?

stree wrote: I am aware of spectre . Do I care about whether I am vulnerable to it? Not a jot. You are fretting over something you need not fret about.

Well, that's your opinion and it is respected. My opinion and my point of view as a professional developer is different...

Also I didn't said anywhere that "I am fretting" out with Spectre... I just want my system to be safe, not safe-a-lot...


Again, and for the last time I hope, I asked 3 simple questions and all I want is 3 simple answers to these questions from ASRock, ASRock technicians or from other people who have the answers...






Edited by MinimalTech - 24 Mar 2018 at 5:42pm