netkas.org forum
November 15, 2018, 06:05:55 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Information for registering users http://forum.netkas.org/index.php/topic,2246.0.html
 
   Home   Help Search Login Register  
Pages: 1 [2]
  Print  
Author Topic: Spectre/Meltdown patches for Mac Pro and others  (Read 6033 times)
lowrider
Sr. Member
****
Offline Offline

Posts: 381


« Reply #15 on: April 01, 2018, 04:25:12 AM »

I've used standard flashed R9 280 (aka HD7950) for update and Mavericks did the trick.

Spectre is still unpatched but firmware (BIOS) is now dated 02/02/2018 Wink

Also please note it's a native 5,1 (2010) made at the beginning of 2012. Maybe it only works well on 5,1 machines with Mid-2012 serial number.


My 5,1 is a 2010 model.  Again, no issues.  GPU is an MVC flashed GTX 1080.

Lou
Logged
h9826790
Jr. Member
**
Offline Offline

Posts: 77


« Reply #16 on: April 01, 2018, 09:54:06 AM »

My cMP is a 2009 model flashed to 5,1. The latest firmware update performed directly by the HS installer.
Logged
mysticalos
Hero Member
*****
Offline Offline

Posts: 637


« Reply #17 on: April 01, 2018, 09:56:33 PM »

I highly doubt apple will patch spectre or meltdown in an old machine. These machines are literally just getting apfs.efi flashes when apple upgrades the apfs driver. (which they did with 10.13.4, they didn't with .3 or any of supp updates. Last update of driver was 10.13.2 i think).

The mac EFI has to have latest apfs firmware for booting 10.13.x until the software apfs driver takes over.
Logged
Rominator
Hero Member
*****
Offline Offline

Posts: 2343



« Reply #18 on: April 03, 2018, 04:02:35 AM »

So the only way to get the new firmware is to download the entire OS?

I ran the Combo and I'm still on 84.

Seems kinda silly, guess it isn't a life & death thing.
Logged

Before asking a question, check your "Personal Settings" and be sure that you have "Brain Services" set to "On".
lowrider
Sr. Member
****
Offline Offline

Posts: 381


« Reply #19 on: April 03, 2018, 05:40:09 AM »

^^^^I downloaded the full Installer. Ran it just to install the FW update. I then used the Combo Updater to update from 10.13.3 to 10.13.4.

Lou
Logged
Spacedust
Sr. Member
****
Offline Offline

Posts: 385


« Reply #20 on: April 03, 2018, 10:48:30 AM »

So the only way to get the new firmware is to download the entire OS?

I ran the Combo and I'm still on 84.

Seems kinda silly, guess it isn't a life & death thing.

I first updated to 10.13.4 with firmware 84. Then installed OS X 10.9.5 on a clean SSD and downloaded full 10.13.4 installer from AppStore and just updated the firmware to 85. Finally placed the original drive again and all works well with firmware 85.

CPU-Z now reports:  BIOS
Apple Inc. MP51.88Z.0085.B00.1802021746 (02/02/18)
Logged
Spacedust
Sr. Member
****
Offline Offline

Posts: 385


« Reply #21 on: April 04, 2018, 06:30:00 PM »

https://newsroom.intel.com/wp-content/uploads/sites/11/2018/04/microcode-update-guidance.pdf

Nehalem EP, Nehalem WS and Westmere EP, WS now in production!

Now they just need to update this file: https://downloadcenter.intel.com/download/27591/Linux-Processor-Microcode-Data-File?product=873
Logged
Spacedust
Sr. Member
****
Offline Offline

Posts: 385


« Reply #22 on: May 02, 2018, 04:34:19 PM »

Here it is: https://downloadcenter.intel.com/download/27776/Linux-Processor-Microcode-Data-File?v=t

Sadly they've removed microcode.dat from the package. We need to create it on our own.

Update, no Westmere inside it:

Quote
== 20180425 Release ==
-- Updates upon 20180312 release --
Processor             Identifier     Version       Products
Model        Stepping F-MO-S/PI      Old->New
---- updated platforms ------------------------------------
GLK          B0       6-7a-1/01 0000001e->00000022 Pentium Silver N/J5xxx, Celeron N/J4xxx
---- removed platforms ------------------------------------
BDX-ML       B/M/R0   6-4f-1/ef 0b000021           Xeon E5/E7 v4; Core i7-69xx/68xx

-- Special release with caveats --
BDX-ML       B/M/R0   6-4f-1/ef           0b00002c Xeon E5/E7 v4; Core i7-69xx/68xx
« Last Edit: May 02, 2018, 11:26:42 PM by Spacedust » Logged
Spacedust
Sr. Member
****
Offline Offline

Posts: 385


« Reply #23 on: July 25, 2018, 11:49:14 PM »

Finally Apple updated Microcode inside 89 firmware in 10.13.6 and my old Mac Pro 2010 is now immune for Meltdown and Spectre under Windows 7 ;-)

For the first time it shutdown when needed. No need to install Mavericks again.
« Last Edit: July 29, 2018, 12:02:31 AM by Spacedust » Logged
Spacedust
Sr. Member
****
Offline Offline

Posts: 385


« Reply #24 on: August 12, 2018, 01:21:02 PM »

I've runned linux checker and it shows Mac Pro is still vulnerable for Spectre Variant 3a and 4 so Apple needs to update microcodes again!

Quote
[root@livedvd Desktop]# ./spectre-meltdown-checker.sh                       
Spectre and Meltdown mitigation detection tool v0.38+                       

Checking for vulnerabilities on current system
Kernel is Linux 2.6.32-754.el6.x86_64 #1 SMP Tue Jun 19 21:26:04 UTC 2018 x86_64
CPU is Intel(R) Xeon(R) CPU           X5675  @ 3.07GHz                         

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)           
    * SPEC_CTRL MSR is available:  YES                     
    * CPU indicates IBRS capability:  YES  (SPEC_CTRL feature bit)
  * Indirect Branch Prediction Barrier (IBPB)                     
    * PRED_CMD MSR is available:  YES                             
    * CPU indicates IBPB capability:  YES  (SPEC_CTRL feature bit)
  * Single Thread Indirect Branch Predictors (STIBP)             
    * SPEC_CTRL MSR is available:  YES                           
    * CPU indicates STIBP capability:  YES  (Intel STIBP feature bit)
  * Speculative Store Bypass Disable (SSBD)                         
    * CPU indicates SSBD capability:  NO                             
  * Enhanced IBRS (IBRS_ALL)                                         
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO         
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO     
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO
  * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO):  NO
  * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA):  NO                                                                             
  * CPU microcode is known to cause stability problems:  NO  (model 0x2c family 0x6 stepping 0x2 ucode 0x1e cpuid 0x206c2)                                     
* CPU vulnerability to the speculative execution attack variants               
  * Vulnerable to Variant 1:  YES                                               
  * Vulnerable to Variant 2:  YES                                               
  * Vulnerable to Variant 3:  YES                                               
  * Vulnerable to Variant 3a:  YES                                             
  * Vulnerable to Variant 4:  YES                                               

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (Mitigation: Load fences)
* Kernel has array_index_mask_nospec:  NO                                   
* Kernel has the Red Hat/Ubuntu patch:  YES                                 
* Kernel has mask_nospec64 (arm64):  NO                                     
> STATUS:  NOT VULNERABLE  (Mitigation: Load fences)                       

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (Mitigation: Full retpoline)
* Mitigation 1                                                                 
  * Kernel is compiled with IBRS support:  YES
    * IBRS enabled and active:  NO
  * Kernel is compiled with IBPB support:  YES
    * IBPB enabled and active:  YES
* Mitigation 2
  * Kernel has branch predictor hardening (arm):  NO
  * Kernel compiled with retpoline option:  YES
    * Kernel compiled with a retpoline-aware compiler:  YES  (kernel rel retpoline compilation)
    * Retpoline is enabled:  YES
> STATUS:  NOT VULNERABLE  (Full retpoline + IBPB are mitigating the vuty)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (Mitigation: PTI)
* Kernel supports Page Table Isolation (PTI):  YES
  * PTI enabled and active:  YES
  * Reduced performance impact of PTI:  YES  (CPU supports PCID, perforact of PTI will be reduced)
* Running as a Xen PV DomU:  NO
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

CVE-2018-3640 [rogue system register read] aka 'Variant 3a'
* CPU microcode mitigates the vulnerability:  NO
> STATUS:  VULNERABLE  (an up-to-date CPU microcode is needed to mitigaulnerability)

CVE-2018-3639 [speculative store bypass] aka 'Variant 4'
* Mitigated according to the /sys interface:  NO  (Vulnerable)
* Kernel supports speculation store bypass:  YES  (spec_store_bypass)
> STATUS:  VULNERABLE  (Your CPU doesn't support SSBD)

Need more detailed information about mitigation options? Use --explain
A false sense of security is worse than no security at all, see --discl
Logged
Spacedust
Sr. Member
****
Offline Offline

Posts: 385


« Reply #25 on: August 15, 2018, 10:04:11 PM »

Another firmware update and it seems they've patched Spectre Variant 3a and 4:

Quote
Spectre and Meltdown mitigation detection tool v0.39+                       
                                                                                                                       
Checking for vulnerabilities on current system                                                                         
Kernel is Linux 2.6.32-754.el6.x86_64 #1 SMP Tue Jun 19 21:26:04 UTC 2018 x86_64                                       
CPU is Intel(R) Xeon(R) CPU           X5675  @ 3.07GHz                                                                   

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)           
    * SPEC_CTRL MSR is available:  YES                     
    * CPU indicates IBRS capability:  YES  (SPEC_CTRL feature bit)
  * Indirect Branch Prediction Barrier (IBPB)                                                                                   
    * PRED_CMD MSR is available:  YES                                                                                           
    * CPU indicates IBPB capability:  YES  (SPEC_CTRL feature bit)                                                             
  * Single Thread Indirect Branch Predictors (STIBP)                                                                           
    * SPEC_CTRL MSR is available:  YES                                                                                         
    * CPU indicates STIBP capability:  YES  (Intel STIBP feature bit)                                                           
  * Speculative Store Bypass Disable (SSBD)                                                                                     
    * CPU indicates SSBD capability:  YES  (Intel SSBD)                                                                         
  * Enhanced IBRS (IBRS_ALL)                                                                                                   
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO                                                                     
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO                                                                 
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO
  * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO):  NO
  * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA):  NO
  * CPU microcode is known to cause stability problems:  NO  (model 0x2c family 0x6 stepping 0x2 ucode 0x1f cpuid 0x206c2)
  * CPU microcode is the latest known available version:  YES  (you have version 0x1f and latest known version is 0x1f)
* CPU vulnerability to the speculative execution attack variants
  * Vulnerable to Variant 1:  YES
  * Vulnerable to Variant 2:  YES
  * Vulnerable to Variant 3:  YES
  * Vulnerable to Variant 3a:  YES
  * Vulnerable to Variant 4:  YES

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (Mitigation: Load fences)
* Kernel has array_index_mask_nospec:  NO
* Kernel has the Red Hat/Ubuntu patch:  YES
* Kernel has mask_nospec64 (arm64):  NO
> STATUS:  NOT VULNERABLE  (Mitigation: Load fences)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (Mitigation: Full retpoline)
* Mitigation 1
  * Kernel is compiled with IBRS support:  YES
    * IBRS enabled and active:  NO
  * Kernel is compiled with IBPB support:  YES
    * IBPB enabled and active:  YES
* Mitigation 2
  * Kernel has branch predictor hardening (arm):  NO
  * Kernel compiled with retpoline option:  YES
    * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
    * Retpoline is enabled:  YES
> STATUS:  NOT VULNERABLE  (Full retpoline + IBPB are mitigating the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (Mitigation: PTI)
* Kernel supports Page Table Isolation (PTI):  YES
  * PTI enabled and active:  YES
  * Reduced performance impact of PTI:  YES  (CPU supports PCID, performance impact of PTI will be reduced)
* Running as a Xen PV DomU:  NO
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

CVE-2018-3640 [rogue system register read] aka 'Variant 3a'
* CPU microcode mitigates the vulnerability:  YES
> STATUS:  NOT VULNERABLE  (your CPU microcode mitigates the vulnerability)

CVE-2018-3639 [speculative store bypass] aka 'Variant 4'
* Mitigated according to the /sys interface:  YES  (Mitigation: Speculative Store Bypass disabled via prctl)
* Kernel supports speculation store bypass:  YES  (spec_store_bypass)
> STATUS:  NOT VULNERABLE  (Mitigation: Speculative Store Bypass disabled via prctl)

CVE-2018-3615/3620/3646 [L1 terminal fault] aka 'Foreshadow & Foreshadow-NG'
> STATUS:  VULNERABLE  (your CPU is known to be vulnerable, and your kernel doesn't report that it mitigates the issue, but more thorough mitigation checking by this script is being worked on (check often for new versions!))

Need more detailed information about mitigation options? Use --explain
A false sense of security is worse than no security at all, see --disclaimer
Logged
Spacedust
Sr. Member
****
Offline Offline

Posts: 385


« Reply #26 on: August 15, 2018, 10:35:02 PM »

Another amazing find! This new firmware fixes a bug causing all MVC flashed cards from Maxwell and Pascal series to stay on PCIe 1.1 when resuming from standby under Windows. It only worked on clean boot before, now I've resumed from standby on my Windows 7 and it remained on PCIe 2.0  Cheesy
Logged
netkas
Administrator
Hero Member
*****
Offline Offline

Posts: 827



« Reply #27 on: August 16, 2018, 09:46:28 AM »

Hope they don't block unsigned fw upgrades liek it's on modern macs.
Logged
Spacedust
Sr. Member
****
Offline Offline

Posts: 385


« Reply #28 on: August 16, 2018, 12:02:59 PM »

Probably they will, it's some sort of security measure.
Logged
Pages: 1 [2]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Valid XHTML 1.0! Valid CSS!