In the meantime I've decided to go in the following direction: 1. install intel microcode onto my ubuntu box the result is: x220$ $ dmesg | grep microcode [ 0.000000] microcode: microcode updated early to revision 0x2d, date = 2018-02-07 [ 0.881361] microcode: sig=0x206a7, pf=0x10, revision=0x2d [ 0.881406] microcode: Microcode Update Driver: v2.2.
this version is exactly the same as the newest one from CPU microcodes. 2. shrink my current version of me.bin (year 2011) to 80kb + set disable bit. There are newer me.bin, but I've decided not to use them. 3. update coreboot git repo and build it. I experience some slight problem with it, but this does not affect qhestion from this thread, tus I'll open a new one. thank You for the help regards, On Thu, Apr 26, 2018 at 12:17 PM, diffusae via coreboot < coreboot@coreboot.org> wrote: > Hi! > > On 24.04.2018 21:27, Mat wrote: > > > I'd like to have system updated against spectre, and other possible > vulnerabilities as much as possible. > > With the retpoline option in the Linux kernel, it should be usually safe > (see attachment). > > "IBPB is considered as a good addition to retpoline for Variant 2 > mitigation, but your CPU microcode doesn't support it" > > > 1. If I neutralize me.bin, then maybe updating it does not make sense? > > Otherwise, maybe I could use MEanalyzer + its database to get newest > ME, then neutralize it? > > Maybe not, don't think that there is a new ME version availabe? Wasn't > it version 9? > > > place where fixes are possible to appear is CPU microcode? > > See above. Did you found the matching microcode? > > > 3. flashdescriptor.bin - can it contain vulnerabilities? If yes, where > to get it from? > > I guess, that's only possible, if you fetch it from the flashed vendor > bios. > > > 4. gbe.bin - the same questions here. > > Isn't that the firmware of the gigabit ethernet card? I think so. > > Regards, > Reiner > > -- > > -- > coreboot mailing list: coreboot@coreboot.org > https://mail.coreboot.org/mailman/listinfo/coreboot >
-- coreboot mailing list: coreboot@coreboot.org https://mail.coreboot.org/mailman/listinfo/coreboot