Spectre security updates in AMD BIOSes?
Printed From: ASRock.com
Category: Technical Support
Forum Name: AMD Motherboards
Forum Description: Question about ASRock AMD motherboards
URL: https://forum.asrock.com/forum_posts.asp?TID=8085
Printed Date: 28 May 2024 at 8:04pm
Software Version: Web Wiz Forums 12.04 - http://www.webwizforums.com
Topic: Spectre security updates in AMD BIOSes?
Posted By: MinimalTech
Subject: Spectre security updates in AMD BIOSes?
Date Posted: 16 Mar 2018 at 7:33pm
|
I have some questions about security updates in the latest BIOS releases from ASRock on AMD platform based motherboards containing the newest PinnaclePI-AM4_1.0.0.1a AGESA. To begin with, since January 11, 2018, https://www.amd.com/en/corporate/speculative-execution" rel="nofollow - AMD said that "will make optional microcode updates available to its customers and partners for Ryzen and EPYC processors" for the Spectre Variant 2 vulnerability. https://www.bleepingcomputer.com/news/software/list-of-links-bios-updates-for-the-meltdown-and-spectre-patches/" rel="nofollow - An article also from BleepingComputer.com said at January 15, 2018 that "Intel, AMD, and other CPU manufacturers have started releasing CPU microcode (firmware) updates for processor models affected by the Meltdown and Spectre patches, those updates are trickling down to OEMs and motherboard vendors, who are now integrating these patches into BIOS/UEFI updates for affected PCs." My system is composed of an https://www.asrock.com/MB/AMD/AB350%20Pro4/index.asp#BIOS" rel="nofollow - ASRock AB350 Pro4 motherboard paired with an AMD Ryzen 5 1600 CPU and G.Skill Flare X 16GB (2x8GB) DDR4-2400MHz RAM. My current version of BIOS is 4.60, released from ASRock at January 26, 2018. The next (and the latest) BIOS from ASRock is 4.70 which released some days before, at March 6, 2018 and includes the PinnaclePI-AM4_1.0.0.1a AGESA from AMD. So, my questions are: 1) Does AMD released any security microcode update since the announcement at January 11, 2018 or NOT yet? 2) Does the latest AGESA PinnaclePI-AM4_1.0.0.1a includes any kind of security update against Spectre? 3) Does ASRock embedded any security microcode updates in its AMD motherboard BIOSes since AMD's announcement at January 11, 2018 or NOT? I also want to note that ASRock has http://www.asrock.com/Microsite/SA00088/" rel="nofollow - a specially designed microsite for Intel platforms that informs users extensively about the Spectre and Meltdown security updates in it's BIOSes, but has not anything informative about AMD platforms concerning security... (Or it has but I didn't notice it?) I ask you these questions to understand how safe I am with ASRock and AMD and if I must update my BIOS to the latest version to obtain the latest security microcode fixes. |
Replies:
Posted By: SoniC
Date Posted: 16 Mar 2018 at 9:54pm
|
I won't answer the questions but I will just add the following : AMD is not vulnerable (or almost impossible to use level of vulnerable) to the security holes that require physical updates to BIOS / microcode updates. They release it as optional to those wearing tinfoil hats. Even Linus Torvald felt confident enough to not enable the fixes on AMD hardware in the kernel patches. So yeah... I believe him. ------------- -=SoniC=- TR x1950, ASRock X399 FPG (v. 3.33A), G.Skill 3200 CL14 64GB, Enermax LiqTech 280, AMD Vega 64 LC, 10x HDDs (mostly Hitachi), 2x M.2 (970EVO,960Pro), Xonar DX, AX1200i PSU |
Posted By: MinimalTech
Date Posted: 17 Mar 2018 at 8:23pm
SoniC thank you for your reply, I will try to answer you in detail.
Do you rely your statement somewhere (e.g. on a specific research)? Can you posted it please here? However, despite of what you write, the AMD itself writes in its https://www.amd.com/en/corporate/speculative-execution" rel="nofollow - official announcement clearly that: Google Project Zero (GPZ) Variant 1 (Bounds Check Bypass or Spectre) is applicable to AMD processors. GPZ Variant 2 (Branch Target Injection or Spectre) is applicable to AMD processors. GPZ Variant 3 (Rogue Data Cache Load or Meltdown) is not applicable to AMD processors. Thus, the AMD processors ARE vulnerable since Spectre (Variant 1 & 2) is applicable to them...
I would not label someone who cares for his/her security on his/her system as someone "who wearing tinfoil hat"... There is more than irony of the phrase here... There are malware out there (like spyware, trojan horses, e.t.c.) - even (script-infected) web pages - that would take advantage of this exploit to steal your credentials or your personal files. And if these credentials are for example for your e-banking system or for your credit cards, then you are going to have a huge problem in your life after that... If we were thinking like this in the IT space, then it would not be necessary to have - lets say for example - strengthened versions of the AES algorithm of 192 bits or 256bits, we would have remained in the 128bits. Same way, it would not be necessary to move from the SSL encryption protocol to the TLS for our web communications...
Linus Torvalds is a formidable person in the Informatics and Software Engineering domains. I admire him and I respect him as a developer I am (plus his opinions) in these domains. But in this case I think you have misunderstood his (and his colleagues) words a bit!! He (or his colleagues) never said the phrase you wrote it!! Tom Lendacky from AMD said approximately something what you wrote in an https://lkml.org/lkml/2017/12/27/2" rel="nofollow - e-mail in the Linux Kernel Mailing List in December 26, 2017 and Linus Torvalds accepted that in a https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/%3Fid=00a5ae218d57741088068799b810416ac249a9ce" rel="nofollow - Release Candidate of the 4.15 Linux kernel. But what Tom Lendacky said? "AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against. The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault." He speaks only for PTI! Which is a feature that mitigates only the Meltdown vulnerability! Not Spectre!! If I'm not wrong, neither Tom Lendacky nor Linus Torvalds ever said (or agreed) that Spectre is not applicable to AMD processors, so to not enable the fixes in the kernel patches... But if I am wrong in this, please post me a URL of an official statement of someone (or both) of these people. EDIT: Due to a bug on the parser of the "Insert Hyperlink" function of this forum (on "?" symbol), I write the correct URL of the Release Candidate article straight here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=00a5ae218d57741088068799b810416ac249a9ce -- But I think we were going out of subject of the post I made... Linux and its patches is not my subject. My questions are very simple and clear written! |
SoniC wrote:Posted By: DHYCIX
Date Posted: 19 Mar 2018 at 12:55am
|
" rel="nofollow - I'd also love to hear about this. I got almost the same board as you (just the mATX version). Maybe someone with the latest BIOS of one of these could fire up InSpectre and take a look whether the coast is clear? |
Posted By: stree
Date Posted: 19 Mar 2018 at 1:58am
|
" rel="nofollow - Spectre has been around for years, and was though of such little consequence that is was not worth a mention. Someone would have to be able to physically access your motherboard to even attempt to do anything with it, plus in all the time it has been known about there is not one instance of it being acted upon. Yes it has a shiny new version, but how many exploits? Only code found "out there" is proof of concept stuff, not rogue exploits. It only hit the noisy news when Intel needed a distraction from its own more serious ( and actual) meltathon and proceeded to cripple its server based customers systems. So it shouted loudly that AMD was just as bad, ask them about Spectre! Corporate infantilisim at its best. I am aware of spectre . Do I care about whether I am vulnerable to it? Not a jot. You are fretting over something you need not fret about. ------------- ASRock X370-ITX BIOS 4.50 R5 2600 Cryorig C7 EVGA GTX 950 75w 2x8GB Ballistix Sport LT 2933 960Evo M.2 256GB, Firecuda 1TB Win 10 Pro 64 1803 G-Unique Archdaemon 300 Watt Lian-li Q21B |
Posted By: nanohead
Date Posted: 19 Mar 2018 at 4:39am
| Have to agree with Stree here. As someone who's been in the IT space for more than 30 years, I simply don't see this as anything other than more breathless hysteria about something that is massively obscure. There are tons of minuscule threats in every computer system, and the entire software stack. Same with networks, and data storage systems. Why some make into the news and others don't is anyone's guess. |
Posted By: MinimalTech
Date Posted: 24 Mar 2018 at 5:05am
|
At first sorry for my delayed response (and for any other possible delayed responses in the future), but due to my job I don't have the leisure to respond fast. Again, I will note that we are getting away of the subject of this thread...! I asked 3 simple questions and all I want is 3 simple answers from ASRock!! But I will answer to your post (@stree) because I mostly disagree with your opinion.
I don't exactly understand what do you mean with the phrase "physically access your motherboard"... Assuming that with this phrase you don't mean that someone (as a person) has to be in front of the machine with a screwdriver (or any other hand-tool/device) to be able to attempt anything malicious to the motherboard (like to run Spectre code), I have to answer that: a) the CPU is the module that cares us, not the motherboard, b) if a programmer develop a malware (virus, trojan, spyware, etc.) and this malware penetrate to a vulnerable-processor system (like PC, Laptop, Tablet, Smartphone) then the malware HAS physical access to the CPU. Just simple. All it has to do this malware is to run a "malicious" algorithm/code and then read the private data. It will act like a program which has been executed manually from the Logged-In user in the system. and c) even more simple, a programmer can develop a script in JavaScript and put it - let's say - in an advertisement pop-up window -or- in a main website page and this script will do its job (steal private data from the machine) easily and silently. With the second implementation the malicious script can still run even if a user has an updated AV program installed... (It is extremely difficult to catch a malicious script)...
First of all you don't know if "out there" a rogue exploit already exists until you or a known person of you catch this to your/its machine and to steal your/its private data. There are millions of devices with Intel, AMD and ARM processors connected to the internet, I am assuming that you haven't check every single one of those devices to see if they have been breached and to know that out there there are not rogue exploits... Secondly, the https://googleprojectzero.blogspot.gr/" rel="nofollow - Proof-of-Concept code you are referring on is the thing that makes the situation much more easy than it should be for a malicious programmer!! Even a moderate-knowledged programmer can develop a malware with Spectre and Meltdown by just COPY and PASTE the code of the proof-of-concept from https://meltdownattack.com/" rel="nofollow - Google ... Don't tell me that you didn't think about it ever...
Maybe you are right in this but I don't care. I am not here to argue for AMD or for Intel companies. I do care only and I am here only as a user for understanding how ASRock cares for its (AMD) clients and if it has released any security microcode updates (in cooperation with AMD) in their BIOSes. But, once you think that AMD is safe and this is just "Corporate infantilisim", what do you think about https://amdflaws.com/" rel="nofollow - this research from the CTS-Labs ?? The research reveals that instead of Spectre Variant 1 and Spectre Variant 2 the AMD (and only the AMD) is also vulnerable in Ryzenfall Masterkey Fallout Chimera vulnerabilities... Do you still have the same opinion?
Well, that's your opinion and it is respected. My opinion and my point of view as a professional developer is different... Also I didn't said anywhere that "I am fretting" out with Spectre... I just want my system to be safe, not safe-a-lot... Again, and for the last time I hope, I asked 3 simple questions and all I want is 3 simple answers to these questions from ASRock, ASRock technicians or from other people who have the answers...  |