Web lists-archives.com

Status of Intel-related vulnerabilities and bugs?




Hello,

I'm trying to get my head around all the recent Intel-related vulnerabilities and bugs and what they mean for the practical usefulness of my not-so-old and still under warranty motherboards in the role of a secure Debian internet server.

I have spent quite some time googling for both information about the technical problems and also what the motherboard manufacturers have done and plan to do about it.

It seems that many have rolled out BIOS updates for their 100-300 and x99-299 series motherboards (Intel Management Engine (IME), hyperthreading, and Spectre variant 2).

For older motherboards there is a lot more uncertainty. ASRock (but not Gigabyte, ASUS, nor MSI) has released H97 / Z97 BIOS updates to Haswell CPU Microcode revision 24 and Broadwell revision 1D, but no update for IME. Gigabyte hasn't responded to my support request regarding their plans for 97-series and older motherboards.

I have applied the Linux "microcode updated early" firmware from stretch-backports (https://wiki.debian.org/Microcode), but that leaves me with a few questions:

1. Can the latest microcode updates still in stretch-backports be trusted to run properly by now?
https://newsroom.intel.com/wp-content/uploads/sites/11/2018/04/microcode-update-guidance.pdf

2. What is really the deal with IME on pre 100-series motherboards? According to the "GIGABYTE Intel ME Critical FW Update Utility" there is "no need" to update my H97N-WIFI motherboards, but the "Intel-SA-00086 Detection Tool" says my Windows 7 machine is vulnerable. Some sources claim that certain consumer motherboards are indeed vulnerable to the IME holes. As far as I understand, the H97 and Z97 chipsets don't have vPro support (which I suppose means that AMT is not implemented?), but some motherboards were instead designed with Intel Small Business Advantage (SBA). For example, the Gigabyte H97N-WIFI / Z97N-WIFI boards have SBA support, but the ASRock H97E-ITX/ac / Z97E-ITX/ac don't, but does this mean that the Gigabyte boards are vulnerable but not the ASRock boards?
https://www.gigabyte.com/Support/Utility/Motherboard#mefw
https://www.intel.com/content/www/us/en/support/articles/000025619/software.html

3. Assuming that the H97 / Z97 motherboards with SBA are vulnerable to the IME hole, what can be done to prevent exploits?

4. Has Microsoft decided only to apply their equivalent of the "microcode updated early" firmware to the latest version of Windows 10, leaving the still supported Windows 7 and 8.x with the Spectre 2 security hole?

Grateful for your input.

BR

Niclas